HP StorageWorks 

Secure Fabric OS 5.0.0 

user guide 



Part number: AA-RW1 UA-TE 
First edition: May 2005 



Legal and notice information 



Copyright © 2005 Hewlett Packard Development Company, LP. 
Copyight © 2005, Brocade Communications Systems, Incorporated. 

Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied 
warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or 
for incidental or consequential damages in connection with the furnishing, performance, or use of this material. 

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, 
reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information is provided 
"as is" without warranty of any kind and is subject to change without notice. The only warranties for HP products and services are 
set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as 
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 

Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation. 

UNIX® is a registered trademark of The Open Group. 



Secure Fabric OS 5.0.0 user guide 



Contents 



About this guide 7 

Intended audience 7 

Related documentation 7 

Document conventions and symbols 8 

HP technical support 9 

HP Storage web site 9 

HP authorized reseller 10 

1 Introducing Secure Fabric OS 11 

Changes to this guide for OS v5. 0.0 11 

Management channel Security 11 

Secure shell (SSH) 12 

Sectelnet 13 

Telnet 13 

Switch-to-Switch authentication 13 

Using PKI 13 

Using DH-CHAP 14 

Fabric configuration server switches 14 

Fabric management policy set 15 

2 Integrating Secure Fabric OS 19 

Adding Secure Fabric OS 20 

Identifying the current version of Fabric OS 21 

Adding Secure Fabric OS to SAN switches 21 

Customizing the account passwords 23 

Verifying or activating the Secure Fabric OS and Advanced Zoning licenses 24 

Adding Secure Fabric OS to switches that require upgrading 25 

Upgrading to a compatible version of Fabric OS 26 

Customizing the account passwords 27 

Verifying or Activating the Secure Fabric OS and Advanced Zoning licenses 27 

Installing the PKICert utility 28 

Using the PKICert utility 28 

Obtaining the digital certificate file 34 

Distributing digital certificates to the switches 34 

Verifying installation of the digital certificates 38 

Recreating PKI objects if required 39 

Creating PKI certificate reports 40 

Accessing PKI certificate help 44 

Adding Secure Fabric OS to HP StorageWorks enterprise class switches 46 

Secure Fabric OS 5.0.0 user guide 3 



Installing a supported CLI client on a computer workstation 49 

Configuring authentication 50 

Selecting authentication protocols 50 

Managing shared secrets 52 

3 Creating Secure Fabric OS policies 55 

Default Fabric and switch accessibility 56 

Enabling Secure mode 57 

Modifying the FCS policy 62 

Changing the position of a switch within the FCS policy 63 

Failing over the primary FCS switch 64 

Creating Secure Fabric OS policies other than the FCS policy 66 

Creating a MAC policy 68 

Creating an SNMP policy 68 

Telnet policy 70 

HTTP policy 71 

API policy 72 

SES policy 74 

Management server policy 75 

Serial port policy 76 

Front panel policy 77 

Creating an options policy 78 

Creating a DCC policy 79 

Creating an SCC policy 82 

Managing Secure Fabric OS policies 83 

Saving changes to Secure Fabric OS policies 84 

Activating changes to Secure Fabric OS policies 84 

Adding a member to an existing policy 85 

Removing a member from a policy 86 

Deleting a policy 86 

Aborting All uncommitted changes 87 

Aborting a Secure Fabric OS transaction 87 

4 Managing Secure Fabric OS 89 

Viewing Secure Fabric OS information 89 

Displaying general Secure Fabric OS information 90 

Viewing the Secure Fabric OS policy database 90 

Displaying individual Secure Fabric OS policies 91 

Displaying status of Secure mode 92 

Displaying and resetting Secure Fabric OS statistics 93 

Displaying Secure Fabric OS statistics 96 

Resetting Secure Fabric OS statistics 96 

Managing passwords 97 

Modifying passwords in Secure mode 1 00 

Modifying the FCS switch passwords or the fabric-wide user password 1 00 

Modifying the non-FCS switch admin password 100 



4 Contents 



Using temporary passwords 1 

Creating a temporary password for a switch 1 

Removing a temporary password from a switch 1 

Resetting the version number and time stamp 1 

Adding switches and merging fabrics with Secure mode enabled 1 

Troubleshooting 1 

Frequently asked questions 1 

General 1 

Management access 1 

Digital certificates and PKI objects 1 

Merging fabrics 1 

Passwords 1 

A Secure Fabric OS commands and Secure Mode restrictions 11 

Secure Fabric OS commands 1 

Command restrictions in Secure mode 1 

Zoning commands 1 

Miscellaneous commands 1 

B Removing Secure Fabric OS 1' 

Preparing the fabric for removal of Secure Fabric OS policies 1 

Disabling Secure mode 1 

Deactivating the Secure Fabric OS license on each switch 1 

Uninstalling related items from the host 1 

Glossary 13 

Index 14 

Figures 

1 DH-CHAP authentication 

Tables 

1 Document conventions . 

2 FCS policy states 6 



3 Valid methods for specifying policy members 

4 Read and write behaviors of SNMP policies . 

5 Telnet policy states 

6 HTTP policy states 

7 API policy states 

8 SES policy states 

9 Management server policy states 

10 Serial port policy states 

1 1 Front panel policy states 

12 Options policy states 

1 3 DCC policy states 



Secure Fabric OS 5.0.0 user guide 



14 SCC policy states 80 

15 Secure mode information 91 

16 Secure Fabric OS statistics 92 

17 Login account behavior with Secure Mode disabled and enabled 97 

1 8 Moving switches between fabrics 1 02 

1 9 Recovery processes 1 05 

20 Secure Fabric OS commands 116 

21 Zoning commands 120 

22 Miscellaneous commands 122 



6 Contents 



About this guide 



This guide provides information about: 

• Setting up the optionalM? StorageWorks Secure Fabric software. 

• Monitoring your SAN via the optional 'HP StorageWorks Secure Fabric software. 

Intended audience 

This guide is intended for use by system administrators and technicians who are experienced 
with the following: 

HP StorgeWorks Fibre Channel Storage Area Networks (SAN) switches 

• Fabric Operating System (FOS) version 4.x 

Related documentation 

Documentation, including white papers and best practices documents, is available via the HP 
website. Please go to: 

http://www.hp.com/country/ us/eng/ prodserv/storage.html 
To access 4.x related documents: 

1 . Locate the Networked storage section of the web page. 

2. Under Networked storage, go to the By type subsection. 

3. Click SAN infrastructure. The SAN infrastructure page displays. 

4. Locate the Fibre Channel Switches section. 

Locate the B-Series Fabric subsection, and then go to the appropriate subsection, such 
as Enterprise Class for the SAN Director 2/1 28. 

To access 4.x documents (such as this document), select the appropriate product, for 
example SAN Director 2/128 & 2/128 Power Pack or Core Switch 2/64 & 
Core Switch 2/64 Power Pack. 

The switch overview page displays. 

5. Go to the Product information section, located on the far right side of the web page. 
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6. Click Technical documents. 

7. Follow the onscreen instructions to download the applicable documents. 



Document conventions and symbols 



Table 1 Document conventions 



Convention 


Element 


Medium blue text: Figure 1 


Cross-reference links and e-mail addresses 


Medium blue, underlined text 

/ L n _ . / / ........ \ 

(http://www.hp.com) 


Web site addresses 


Bold font 


• Key names 

• Text typed into a GUI element, such as 
into a box 

• GUI elements that are clicked or 
selected, such as menu and list items, 
buttons, and check boxes 


Italics font 


Text emphasis 


Monospace font 


• File and directory names 

• System output 

• Code 

• Text typed at the command-line 


Monospace italic font 


• Code variables 

• Command-line variables 


Monospace, bold font 


Emphasis of file and directory names, system 
output, code, and text typed at the 
command-line 



WARNING! Indicates that failure to follow directions could result in bodily harm or death. 
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A CAUTION: Indicates that failure to follow directions could result in damage to equipment or 
data. 



J— )^ IMPORTANT: Provides clarifying information or specific instructions. 



■myp NOTE: Provides additional information. 



if 



-(Si TIP: Provides helpful hints and shortcuts. 

✓ y \ 



HP technical support 



Telephone numbers for worldwide technical support are listed on the following HP web site: 
http:/ / www. hp.com/ support/ . From this web site, select the country of origin. 



NOTE: For continuous quality improvement, calls may be recorded or monitored. 



Obtain the following information before calling: 

Technical support registration number (if applicable) 
Product serial numbers 
Product model names and numbers 
Applicable error messages 
Operating system type and revision level 
Detailed, specific questions 



HP Storage web site 



The HP web site has the latest information on this product, as well as the latest drivers. Access 
storage at: http:/ / www.hp.com/ country/ us/ enq/ prodserv/ storage.html . From this web site, select 
the appropriate product or solution. 
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HP authorized reseller 

For the name of your nearest HP authorized reseller: 

In the United States, call 1-800-345-1518. 

• Elsewhere, visit http://www.hp.com and click Contact HP to find locations and telephone 
numbers. 
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1 Introducing Secure Fabric OS 



Secure Fabric OS is an optionally licensed product that provides customizable security 
restrictions through local and remote management channels on a fabric. Secure Fabric OS 
provides the ability to: 

• Create policies to customize fabric management access. 

• Specify which switches and devices can join the fabric. 

• View statistics related to attempted policy violations. 

• Manage the fabric-wide Secure Fabric OS parameters through a single switch. 

• Create temporary passwords specific to a login account and switch. 

• Enable and disable Secure Fabric OS as desired. 

Secure Fabric OS uses digital certificates based on PKI or Diffie-Hellman with 
Challenge-Handshake Authentication Protocol (DH-CHAP) shared secrets to provide 
switch-to-switch authentication. 

This chapter contains the following sections: 

• Changes to this guide for OS v5.0.0, page 1 1 

• Management channel Security, page 1 1 

• Switch-to-Switch authentication, page 1 3 

• Fabric configuration server switches, page 14 

• Fabric management policy set, page 15 

Changes to this guide for OS v5.0.0 

Documentation for Fabric OS v4.x is valid for v5.0.0 unless otherwise noted. 

Management channel Security 

Secure Fabric OS is used to provide policy-based access control of local and remote 
management channels, including the optional 'Fabric Manager, Advanced Web Tools, 
standard SNMP applications, and management server. 
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Access through a channel can be restricted by customizing the Secure Fabric OS policy for 
that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and Secure 
Shell), SNMP, management server, HTTP, and API. 

Fabric Manager, Web Tools, and API all use both HTTP and API to access the switch. To use 
any of these management tools to access a fabric that has secure mode enabled, ensure that 
the workstation computers can access the fabric by both API and HTTP. If an API or HTTP 
policy has been created, it must include the IP addresses of all the workstation computers. 

After a digital certificate has been installed on the switch, Fabric OS v3.2.0 and v4.4.x 
encrypt sectelnet, API, and HTTP passwords automatically, regardless of whether Secure 
Fabric OS is enabled. 



ri"M> NOTE: The Telnet button in Advanced Web Tools can be used to launch telnet only (not 
\zlj sectelnet or Secure Shell) and is disabled when secure mode is enabled. 



On two-domain directors, messages (such as notifications of password changes) that are sent 
to the whole secure fabric are seen on both domains, even if the other domain is not part of 
the secure fabric. 

Secure shell (SSH) 

Fabric OS v4.4.x supports SSH, enabling fully encrypted telnet sessions. Use of SSH requires 
installation of a SSH client on the host computer; use of SSH does not require a digital 
certificate on the switch. 

Secure Shell access is configurable by the Telnet Policy that is available through Secure Fabric 
OS. However, Fabric OS v4.4.x supports Secure Shell whether or not Secure Fabric OS is 
licensed. 

To restrict CLI access to Secure Shell over the network, disable telnet as described in "Telnet" 
later in this section. 

Secure Shell clients are available in the public domain and can be located by searching the 
Internet. Use clients that support version 2 of the protocol, such as OpenSSH or F-Secure. 

Fabric OS v4.4.x also supports the following ciphers for session encryption and HMACs 
(hash function-based message authentication codes): 

• Ciphers: AES1 28-CBC, 3DES-CBC, Blowfish-CBC, Castl 28-CBC, and RC4 

• HMACs: HMAC-MD5, HMAC-SHA1 , HMAC-SHA1-96, and HMACMD5-96 
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§f NOTE: The first time a Secure Shell client is launched, a message is displayed, indicating 
that the server's host key is not cached in the registry. You will also see this message the first 
time a Secure Shell client is launched after you upgrade switch firmware. 



For more information about Secure Shell, refer to the HP StorageWorks Fabric OS 4.x 
procedures user guide. 

Sectelnet 

The sectelnet client is a secure form of telnet that encrypts passwords only. It is available from 
your switch supplier. Fabric OS v4.4.x includes the sectelnet server; the sectelnet client must 
be installed on the workstation computer. 

The sectelnet client can be used as soon as a digital certificate is installed on the switch, 
sectelnet access is configurable by the Telnet Policy. 

Telnet 

Standard telnet is not available when secure mode is enabled. 

To remove all telnet access to the fabric, disable telnet through the telnetd option of the 
configure command. This configure option does not require disabling the switch. For more 
information about the configure command, refer to the HP StorageWorks Fabric OS 4.x 
command reference guide. 



Switch-to-Switch authentication 

Switch-to-switch authentication supports the following: 

• Using PKI, page 1 3 

• Using DH-CHAP, page 14 

Using PKI 

Secure Fabric OS can use digital certificates based on public key infrastructure (PKI) and 
switch WWNs and the SLAP or FCAP protocols to identify the authorized switches and 
prevent the addition of unauthorized switches to the fabric. A PKI certificate installation utility 
(PKICert) is provided for generating certificate signing requests (CSRs) and installing digital 
certificates on switches. For information about how to use the PKICert utility, see "Adding 
Secure Fabric OS" on page 20. 

Support for FCAP is first provided in Secure Fabric OS v3.2.0 and v4.4.x and is used instead 
of SLAP when both switches support it. PKI authentication automatically falls back to SLAP 
when a switch does not support FCAP. 
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r!^ NOTE: PKI digital certificates are used also by Fabric OS v4.4.x. Secure Fabric OS and 
b£J Secure Sockets Layer (SSL) use different digital certificates and different methods of obtaining 
and installing the certificates. PKI digital certificates are used for the secure fabric, and SSL 
digital certificates are not. The methods described in this manual are specific to Secure Fabric 
OS. Refer to the HP StorageWorks Fabric OS 4.x procedures user guide hot information about 
SSL and digital certificates. 



Using DH-CHAP 

Starting with Fabric OS v3.2.0 and v4.4.x, Secure Fabric OS can use Diffie-Hellman with 
Challenge-Handshake Authentication Protocol (DH-CHAP) shared secrets to provide 
switch-to-switch authentication and prevent the addition of unauthorized switches to the fabric. 
(DH-CHAP is not available with Fabric OS v2.6.x.) The default is to use FCAP or SLAP (refer to 
"Switch-to-Switch authentication"). To authenticate using DH-CHAP, it should be explicitly 
enabled. 

You control which authentication protocols can be used by a switch with the authUtil CLI 
command. Using this command, you can specify that FCAP only, DH-CHAP only, or either be 
used. If both are permitted, the default order (FCAP, DH-CHAP) is used. The actual protocol is 
selected during dynamic negotiation. 

DH-CHAP requires a pair of shared secret keys— shared secrets — between each pair of switches 
authenticating with DH-CHAP. Use the secAuthSecret command to manage shared secrets. 
Refer to the HP StorageWorks Fabric OS 4.x command reference guide for details of the 
authUtil and secAuthSecret commands and refer to "Configuring authentication" on 
page 50 for a basic procedure for configuring DH-CHAP. 



Fabric configuration server switches 

Fabric Configuration Server (FCS) switches are one or more switches that are specified as 
"trusted" switches for use in managing Secure Fabric OS. These switches should be both 
electronically and physically secure. At least one FCS switch must be specified to act as the 
primary FCS switch, and one or more backup FCS switches are recommended to provide 
failover ability in case the primary FCS switch fails. 

If your primary FCS switch runs Fabric OS v3.2.x or v4.4.x, you should not use a Fabric OS 
v2.6.2 switch (or a switch running older versions of Fabric OS v3.x.x or v4.x.x) as a backup 
FCS switch. Fabric OS v3.2.0 and v4.4.x introduce new features, such as a larger secure 
database (128K in v3.2.0 and 256K in v4.4.x), centralized login authentication (AAA), 
RADIUS, and a SSL certificate, not supported by older releases. 

FCS switches are specified by listing their WWNs in a specific policy called the FCS policy. 
The first switch that is listed in this policy and participating in the fabric acts as the primary 
FCS switch; it distributes the following information to the other switches in the fabric: 



14 Introducing Secure Fabric OS 



• Zoning configuration 

• Secure Fabric OS policies 

• Fabric password database 

• SNMP community strings 

• System date and time 

NOTE: The role of the FCS switch is separate from the role of the principal switch, which 
\zlj assigns domain IDs. The role of the principle switch is not affected by whether secure mode is 
enabled. 



When secure mode is enabled, only the primary FCS switch can propagate management 
changes to the fabric. When a new switch joins the fabric, the primary FCS switch verifies the 
digital certificate; then it provides the current configuration, overwriting the existing 
configuration of the new switch. 

Because the primary FCS switch distributes the zoning configuration, zoning databases do not 
merge when new switches join the fabric. Instead, the zoning information on the new switches 
is overwritten when the primary FCS switch downloads zoning to these switches, if secure 
mode is enabled on all of them. For more information about zoning, refer to the HP 
StorageWorks Fabric OS 4.x procedures user guide. 

The remaining switches listed in the FCS policy act as backup FCS switches. If the primary 
FCS switch becomes unavailable for any reason, the next switch in the list becomes the 
primary FCS switch. You should have at least one backup FCS switch, to reduce the possibility 
of having no primary FCS switch available. You can designate as many backup FCS switches 
as you like; however, all FCS switches should be physically secure. 

Any switches not listed in the FCS policy are defined as non-FCS switches. The root and 
factory accounts are disabled on non-FCS switches. 



Fabric management policy set 

Using Secure Fabric OS, you can create several types of policies to customize various aspects 
of the fabric. By default, only the FCS policy exists when secure mode is first enabled. Use the 
CLI or Fabric Manager to create and manage Secure Fabric OS policies. 

Secure Fabric OS policies can be created, displayed, modified, and deleted. They can also 
be created and saved without being activated immediately, to allow implementation at a 
future time. Saved policies are persistent, meaning that they are saved in flash memory and 
remain available after switch reboot or power cycle. 
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The group of existing policies is referred to as the "fabric management policy set" or FMPS, 
which contains an active policy set and a defined policy set. The active policy set contains the 
policies that are activated and currently in effect. The defined policy set contains all the 
policies that have been defined, whether activated or not. Both policy sets are distributed to 
all switches in the fabric by the primary FCS switch. Secure Fabric OS recognizes each type 
of policy by a predetermined name. 



Secure Fabric OS supports the following policies: 

• FCS policy 

Use to specify the primary FCS and backup FCS switches. This is the only required policy. 

• Management Access Control (MAC) policies 
Use to restrict management access to switches. The following specific MAC policies are 



-3«m> NOTE: HP does not support SES at this time, although it appears in the Secure Fabric 



• Read and Write SNMP policies. Use to restrict which SNMP hosts are allowed read 
and write access to the fabric. 

• Telnet policy. Use to restrict which workstations can use sectelnet or Secure Shell to 
connect to the fabric (telnet is not available when Secure Fabric OS is enabled). 

• HTTP policy. Use to restrict which workstations can use HTTP to access the fabric. 

• API policy. Use to restrict which workstations can use API to access the fabric. 

• SES policy. Use to restrict which devices can be managed by SES. 

• Management Server policy. Use to restrict which devices can be accessed by 
management server. 

• Serial Port policy. Use to restrict which switches can be accessed by serial port. 

• Front Panel policy. Use to restrict which switches can be accessed by front panel. 

• Options policy 

Use to restrict the types of WWNs that can be used for zoning. 

• Device Connection Control (DCC) policies 



provided: 
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Use to restrict which Fibre Channel device ports can connect to which Fibre Channel 
switch ports. 

Switch Connection Control (SCC) policy 

Use to restrict which switches can join the fabric. 
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2 Integrating Secure Fabric OS 



Secure Fabric OS is supported by Fabric OS v2.6.2, v3.x and v4.x and later; it can be 
added to fabrics that contain any combination of these versions. This manual applies to 
v3.2.0, and v4.4.x, and assumes that these versions are running before adding Secure Fabric 
OS. The procedure for adding Secure Fabric OS to a switch depends on whether the switch is 
shipped with one of these versions installed or requires upgrading. 

HP StorageWorks switches running Fabric OS 2.3.x through Fabric OS 4.4.x can be 
upgraded to this latest version of Secure Fabric OS. These switches include: 

• HP StorageWorks 1 Gbps switches 

HP StorageWorks SAN Switch 2/8 EL and HP StorageWorks SAN Switch 2/16 
HP StorageWorks SAN Switch 2/32 
HP StorageWorks SAN Switch 4/32 
HP StorageWorks Core Switch 2/64 
HP StorageWorks SAN Director 2/128 
HP StorageWorks SAN Switch 2/8V, 2/1 6V and 2/1 6N 
This chapter contains the following sections: 

• Adding Secure Fabric OS, page 20 

• Identifying the current version of Fabric OS, page 21 

• Adding Secure Fabric OS to SAN switches, page 21 

• Adding Secure Fabric OS to switches that require upgrading, page 25 

• Adding Secure Fabric OS to HP StorageWorks enterprise class switches, page 46 

• Installing a supported CLI client on a computer workstation, page 49 

• Configuring authentication, page 50 
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Adding Secure Fabric OS 



To implement Secure Fabric OS in a fabric, each switch in the fabric must have the following: 

• A compatible version of Fabric OS 

• An activated Secure Fabric OS license 

• An activated Advanced Zoning license (zoning is essential to Secure Fabric OS 
mechanisms) 

The required PKI objects 

• A digital certificate 

The following tasks are required to set up a fabric for use with Secure Fabric OS: 

• Identify the versions of Fabric OS currently installed on each switch and determine which 
switches require upgrading to support Secure Fabric OS. Instructions are provided in 

"Identifying the current version of Fabric OS" on page 21 . 

• For each switch (except the HP StorageWorks Core Switch 2/64 and HP StorageWorks 
SAN Director 2/128 with dual-virtual switches) that was shipped with Fabric OS v3.1 .2 
or later or v4.2.0 or later installed, follow the instructions provided in "Adding Secure 
Fabric OS to SAN switches" on page 21 . 

• For each switch that must be upgraded for use with Secure Fabric OS, follow the 
instructions provided in "Adding Secure Fabric OS to switches that require upgrading" on 
page 25. 

• For HP StorageWorks Core Switch 2/64 and HP StorageWorks SAN Director 2/1 28 
models configured with two logical switches, with Fabric OS v4.x, follow the instructions 
provided in "Adding Secure Fabric OS to HP StorageWorks enterprise class switches" on 
page 46. 

• Install a supported CLI client on each computer workstation that will be used to access the 
fabric. Instructions are provided in "Installing a supported CLI client on a computer 
workstation" on page 49. 



-n+M NOTE: If one or more switches are incapable of enforcing security, secure mode is not 
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Identifying the current version of Fabric OS 

Before continuing, identify the version of Fabric OS on each switch in the fabric and 
determine which switches must be upgraded. 

To identify the current version of Fabric OS installed on each switch in the fabric: 

1. Open a CLI connection (serial or telnet) to one of the switches in the fabric. 

2. Log in to the switch as admin. The default password is "password". 

3. Type the version command. 

For example, entering the version command on a SAN Switch 4/32: 

switch390 0 : admin> version 
Kernel: 2.4.2 
Fabric OS: v4.2 

Made on: Fri Jan 3 23:02:08 2003 
Flash: Jan 3 18:03:35 2003 
BootProm: 4.2.17 

4. Repeat the preceding steps for each switch in the fabric. 



Adding Secure Fabric OS to SAN switches 

All switches that are shipped with Fabric OS v3.2.0 or v4.4.x installed already have the 
required PKI objects and a digital certificate. If a switch no longer has the required PKI 
objects, refer to section "Recreating PKI objects if required" on page 39 for information on 
recreating the PKI objects. If a switch no longer has the required digital certificate, refer to 
section "Obtaining the digital certificate file" on page 34 for information on obtaining digital 
certificates. 

Switch digital certificates are checked when a switch joins a fabric, either because the switch 
is added to the fabric or because the switch is booting. Changes to the certificate— for 
example, if the certificate is removed or corrupted— might not be noticed until the switch is 
rebooted. 
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Read this section to set up Secure Fabric OS for the following switches: 
• HP StorageWorks 1 Gbps switches 

HP StorageWorks SAN Switch 2/8 EL or HP StorageWorks SAN Switch 2/16 

HP StorageWorks SAN Switch 2/32 

HP StorageWorks SAN Switch 4/32 

HP StorageWorks SAN Switch 2/8V, 2/ 16V and 2/1 6N 

1. Change the account passwords from default values as described in "Customizing the 
account passwords" on page 23. 

2. If switches running Fabric OS v2.6.2 or v3.2.0 will be in same fabric as switches running 
Fabric OS v4.4.x, refer to the HP StorageWorks Fabric OS 4.x procedures user guide tor 
instructions on configuring compatible PID modes across the switches. 

Switch digital certificates are checked when a switch joins a fabric, either because the 
switch is added to the fabric or because the switch is booting. Changes to the certificate, 
for example, if the certificate is removed or corrupted, might not be noticed until the switch 
is rebooted. 



rO«u> NOTE: Changing the PID format causes an update to the DCC policies. If you change the 
EI_J PID format, use the conf igUpload command to create a new backup configuration file. Do 
not download the old file. 



3. Ensure that the switch has activated Secure Fabric OS and Advanced Zoning software 
licenses as described in "Verifying or activating the Secure Fabric OS and Advanced 
Zoning licenses" on page 24. 
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Customizing the account passwords 

The user is prompted to customize the account passwords at the first login. The prompts 
continue to display at each login and the passwd command remains disabled until the 
passwords prompts are answered. Immediately changing the passwords is recommended. 



§f NOTE: In addition to customizing the passwords for the user, admin, factory, and root 
accounts, setting both the boot PROM and recovery passwords is strongly recommended. For 
instructions on setting these passwords, refer to the HP StorageWorks Fabric OS 4.x 
procedures user guide. 



To log in and change the passwords: 

1. Open a CLI connection (serial or telnet) to the switch. 

2. Log in to the switch as admin. The default password is password. The firmware prompts 
to change all passwords. 

3. Change all the passwords to secure passwords, using between 8 and 40 alphanumeric 
characters for each password, with a different password for each account. The new 
passwords must be different from the default values. 



i-m™> NOTE: The initial login prompt accepts a maximum password length of eight characters. Any 
\zzJ characters beyond the eighth character are ignored. Only the default password is subject to 

the eight character limit. Any password set by the user can have a length from 8 to 40 

characters. 

Record the passwords and store them in a secure place; recovering passwords can require 
significant effort and result in fabric downtime. 
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Verifying or activating the Secure Fabric OS and 
Advanced Zoning licenses 

The Secure Fabric OS and Advanced Zoning features are part of the Fabric OS and can be 
activated by entering a corresponding license key, available from the switch supplier. A 
license must be activated on each switch that will be implementing Secure Fabric OS. 

Licenses can be activated through the CLI or through Web Tools. This section provides CLI 
instructions only. For instructions on activating a license through Web Tools, refer to the HP 
StorageWorks Fabric OS 4.x advanced web tools user guide. 

Use these step to verify or activate a software license through the CLI. 

1. Open a command line interface (CLI), serial or telnet, to the switch. 

2. Log in to the switch as admin. The default password is password. 

3. Type the licenseShow command to determine whether the license is already activated. 

A list of all the activated licenses displays. The Secure Fabric OS license displays as 
"Security license"; for example: 

switch : admin> licenseshow 

lAlAaAaaaAAAAla : 
Web license 
Zoning license 
Trunking license 
Security license 

4. If the Secure Fabric OS and Advanced Zoning licenses are already listed, the features are 
already available and the remaining steps are not required; continue if either license is not 
listed. 

5. Contact the switch supplier to purchase the required license key. 

6. After the key is received, type licenseAdd "key". 

key is the license key string exactly as provided by the switch supplier; it is case sensitive. 
You can copy it from the email in which it was provided directly into the CLI. For example: 

switch : admin> licenseadd " aAaaaaAaAaAaAaA" 

adding license key "aAaaaaAaAaAaAaA" 

7. Type the licenseShow command to verify that the license was successfully activated. 

If the license is listed, the feature is immediately available (the Secure Fabric OS license 
displays as "Security license"). 
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Adding Secure Fabric OS to switches that 
require upgrading 

This section applies to the following switches: 

HP StorageWorks SAN Switch 2/8 EL or HP StorageWorks SAN Switch 2/16 switches 
running a Fabric OS previous to v3.1 .2 

• HP StorageWorks SAN Switch 2/32 and HP StorageWorks Core Switch 2/64 running 
Fabric OS previous to v4.2.0 

To set up Secure Fabric OS on a switch that was not shipped with Fabric OS v3.1 .2 or v4.4.x 
(or later): 

1. If switches running Fabric OS v3.2.0 will be in same fabric as switches running Fabric OS 
v4.4.x, refer to the HP StorageWorks Fabric OS 4.x procedures user guide for instructions 
on configuring compatible PID modes. 



§f NOTE: Changing the PID format causes an update to the DCC policies. If you change the 
PID format, use the conf igDownload command to create a new backup configuration file. 
Do not upload the old file. 



2. Back up the configuration and upgrade the switch to Fabric OS v3.2.0 or v4.4.x, as 
appropriate to the switch, as described in "Upgrading to a compatible version of 
Fabric OS" on page 26. 

3. Change the account passwords from the default values, as described in "Customizing the 
account passwords" on page 27. 

4. The remaining steps are determined by whether Secure Fabric OS was already in use on 
the switch (such as on a 1 Gb switch that was running Fabric OS v2.6): 

• If Secure Fabric OS was already in use on the switch, the upgrade is complete; do not 
proceed further. To verify the existing policy set, enter the secPolicyShow 
command. 

• If Secure Fabric OS was not already in use on the switch, continue with step 5. 

5. Verify or activate the Secure Fabric OS and Advanced Zoning licenses, as described in 

"Verifying or Activating the Secure Fabric OS and Advanced Zoning licenses" on 
page 27. 

6. Download and install the PKICert utility on the computer workstation, as described in 
"Installing the PKICert utility" on page 28. 

7. Create a file containing the certificate signing requests (CSRs) from all the switches that 
require certificates, as described in "Using the PKICert utility" on page 28. 
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8. Obtain digital certificates from the switch supplier, as described in "Obtaining the digital 
certificate file" on page 34. 

9. Distribute the certificates to the switches, as described in "Distributing digital certificates to 
the switches" on page 34. 

10. Verify that digital certificates are installed on all the switches, as described in "Verifying 
installation of the digital certificates" on page 38. 

Upgrading to a compatible version of Fabric OS 

Secure Fabric OS is supported by Fabric OS v2.6.2, v3.2.0, and v4.4.x and can be 
implemented in fabrics that contain any combination of these versions. The following switches 
can be upgraded for use with Secure Fabric OS: 

• HP StorageWorks 1 Gbps switches 

HP StorageWorks SAN Switch 2/8 EL or HP StorageWorks SAN Switch 2/16 

• HP StorageWorks SAN Switch 2/32 

• HP StorageWorks SAN Switch 4/32 

HP StorageWorks SAN Switch 2/8V, 2/1 6V and 2/1 6N 

HP StorageWorks Core Switch 2/64 and HP StorageWorks SAN Director 2/1 28 

rH^> NOTE: Combinations of switches running Fabric OS v2.6.2 or v3.2.0 and Fabric OS v4.4.x 
L£] must use compatible PID modes. Refer to the HP StorageWorks Fabric OS 4.x procedures user 
guide\or information about PID modes. Changing the PID format causes an update to the 
DCC policies. If you change the PID format, use the conf igDownload command to create a 
new backup configuration file. Do not upload the old file 



If a switch already has a Secure Fabric OS license (such as a switch running Fabric OS v2.6) 
and secure mode is enabled, the switch can remain in secure mode during the firmware 
upgrade. 

To install the required versions of Fabric OS on each switch in the fabric: 

1. Obtain the required firmware from the switch provider, according to the type of switch. 

2. Open a CLI connection (serial or telnet) to one of the switches in the fabric. 

3. Back up the configuration by entering the conf igUpload command and completing the 
prompts. This also backs up the security policies, if the switch is an FCS switch. 

4. Log in to the switch as admin. The default password is "password". 

5. Download the firmware to the computer workstation or server. 
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6. Download the required firmware from the computer to the switch. The download process 
depends on the type of switch and management interface. 



§f NOTE: If secure mode is already enabled on the switch (such as on a 1 Gb switch running 
v2.6), secure mode can remain enabled during the download to preserve the policies. For 
information about merging fabrics that have secure mode enabled, refer to "Adding switches 
and merging fabrics with Secure mode enabled" on page 103. 



7. Reboot the switch. 



ro«u> NOTE: The required PKI objects are automatically generated when the switch is rebooted in 
L£j the new version of Fabric OS. See "Verifying installation of the digital certificates" on 
page 38 for steps you can take to verify the existence of the PKI objects. 



8. Repeat this procedure for each switch in the fabric. 

Customizing the account passwords 

After installing a new version of Fabric OS, the user is prompted to customize the account 
passwords at the first login. These prompts display at each login and the passwd command 
remains disabled until the passwords are changed from the default values. 

To log in and change the passwords: 

1. Open a CLI, serial or telnet, to the switch. 

2. Log in to the switch as admin. The default password is password. The firmware prompts 
the user to change all passwords. 

3. Change all the passwords to secure passwords, using between 8 and 40 alphanumeric 
characters for each password, with a different password for each account. The new 
passwords must be different from the default values. 



r*"w> NOTE: Record the passwords and store them in a secure place; recovering passwords can 
E_J require significant effort and result in fabric downtime. 



Verifying or Activating the Secure Fabric OS and 
Advanced Zoning licenses 

Refer to the instructions provided in "Verifying or activating the Secure Fabric OS and 
Advanced Zoning licenses" on page 24. 
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Installing the PKICert utility 

The PKI certificate installation utility (PKICert utility) version 1 .0.6 or later is provided by the 
switch supplier and is used to collect certificate signing requests (CSRs) and install digital 
certificates on switches. The utility must be installed on a computer workstation. 

To install the PKICert utility on a Solaris workstation, follow the instructions provided in the 
PKICert utility ReadMe file. 

To install the PKICert utility on a PC workstation, perform the following steps: 

1. Obtain the PKICert utility from the switch supplier. 

2. Extract all the files from the utility zip file into into a directory. 

3. Execute the setup.exe file; it installs a utility in a location specified during the installation. 

4. Review the ReadMe file for current information about the utility. 

Using the PKICert utility 

The PKICert utility makes it possible to retrieve certificate signing requests (CSRs) from all the 
switches in the fabric and save them into a CSR file in XML format. PKICert also allows the 
user to create license reports, and it provides online help. (CSRs and PKI digital certificates 
are also used in Fabric OS v4.4.x with SSL certificates. The utility to retrieve certificates, the 
CSRs themselves, and the digital certificates for these two uses are different. Refer to the HP 
StorageWorks Fabric OS 4.x procedures user guide for information on SSL.) 



i-h^> NOTE: If this procedure is interrupted by a switch reboot, the CSR file is not generated and 
the procedure must be repeated. This procedure provides PC-specific examples. 

The PKICert utility can be used only in nonsecure mode to generate or install certificates. 



To obtain the CSR file for the fabric: 

1. Open the PKICert utility. On a PC, double-click pkicert.exe. 

The utility prompts for the events log file name. 
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2. Type a file name for the events log and press Enter or just press Enter to accept the 
default. The log file is automatically created in the same directory as pkicert.exe. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 

All events and errors will be recorded in an event/error log file. 
If the file already exists, new event/error information will be 
appended to it. 

Enter a log file name [or just press Enter to accept the default] . 
[pki_events.log] => pki_events_fabricl.log 

The utility prompts for the desired function. 

3. Type 1 to select CSR retrieval and press Enter. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
FUNCTIONS 

1) Retrieve CSRs from switches & write a CSR file 

2) Install Certificates contained in a Certificate file 

3) Generate a Licensed-Product/Installed-Certif icates report 

4) Help using PKI-Cert to get & install certificates 
q) Quit PKI Certificate installation utility 

Enter choice> 1 

The utility prompts for the method of specifying fabric addresses. 

4. Type the desired method for entering the fabric addresses. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
Choose a method for providing fabric addresses 

1) Manually enter fabric address 

2) Read addresses from a file (name to be given) 
r) Return to Main menu 

Enter choice> 

To manually enter the fabric address: 

a. Type 1 and press Enter. 

The utility prompts for the IP address or switch name of a switch in the fabric. Only one 
switch name or IP address is required for each fabric. 

b. Type the IP address or switch name of one of the switches in the fabric and press 
Enter. 

At least one valid IP address must be entered to continue, and the corresponding 
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switch must be operating and available. When all the IP addresses have been entered, 
press Enter again to end the list. 

The utility prompts for the username and password for this switch, 
c. Type the username and password, then press Enter to continue. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 

Only one address per fabric is needed to get to all switches. 
Enter a list of one or more IP or DNS addresses (aliases) you 
wish to use (one per line) . End the list with an empty item. 

1 --> 10.32.142.167 

2 --> 

Connecting to Fabric (s) ... 

Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 

Username: admin 
Password: 

Logged into fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 
Press Enter to continue > 

To read the fabric addresses from a file: 

a. Type 2 and press Enter. 

The utility prompts for the path and file name of the file. The addresses in the file must be IP 
addresses or switch names, each on a separate line. 

b. Type the path and file name of the file that contains the fabric addresses and press 
Enter. 



Enter the file-name of the Fabric Address file. 
File Name ===> \\server\Working\FabricAddresses 


. txt 






Connecting to Fabric (s) ... 








Login to fabric 1. principal switch WWN = 10:00: 

Username : admin 

Password: 


; 00 : 60 : 


■ 69 ■ 


80:46:00 


Logged into fabric 1. principal switch WWN = 10' 


: 00 : 00 : 


■ 60 ■ 


69:80:46:00 


Press Enter to continue > 









The utility prompts for information about the CSR file to be created. 



5. Type the requested information: 
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a. Enter path and file name for the CSR file to be created; then type y if the address was 
entered correctly, or enter n and reenter the address, if not. 

b. Type y to include licensed product data in the file. Otherwise, type n. 

c. Type y to retrieve CSRs from all switches in the fabric or n to retrieve CSRs only from 
switches that do not already have a digital certificate. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
GET CERTIFICATE SIGNING REQUESTS 

You must enter the file-name of the CSR output file to create. 



Note: 

* The named file will be created 

* The file-name may include a directory path 
that must already exist. 

* An extension of '.xml 1 will be appended to 
the file name if not already present. 

* If the file already exists, it will be 
overwritten . 



File Name ===> test 

Is the filename "test. xml" correct? (y/n) : y 

**** WARNING, file, "test.sml", already exists!! **** 

Do you want to overwrite it <y/n>? > y 

Include (optional) licensed product data (y/n) ? > y 

Get CSRs even from switches with certificates (y/n) ? > y 



§f NOTE: If CSRs are retrieved and digital certificates are requested for switches that already 
have digital certificates, the same digital certificates are provided again. 



The utility prompts for which fabrics to retrieve CSRs from. 

6. Type 1 to retrieve CSRs only from the fabric identified earlier or a to retrieve CSRs from all 
discovered fabrics; then press Enter. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
Choose a Fabric On Which to Operate 

Fabric World Wide Name # Switches Principal 



1) 10:00:00:60:69:80:46:00 34 hostl_sw0 

a) All Fabrics 

r) Return to Functions menu 

enter your choice> 1 



Secure Fabric OS 5.0.0 user guide 31 



The utility displays the success or failure of CSR retrieval. 
7. Press Enter to continue. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 



Retrieving CSR's from 1 fabric (s) 



1. 


Got 


a 


CSR 


for 


Switch : 


Name= 


'sw 


129", 


IP=' 


10 


.32 


. 142 


12 9" 


2 . 


Got 


a 


CSR 


for 


Switch : 


Name= 


'sw 


128", 


IP=' 


10 


.32 


. 142 


128" 


3. 


Got 


a 


CSR 


for 


Switch : 


Name= 


'sw 


139", 


IP=' 


10 


. 32 


. 142 


139" 


4. 


Got 


a 


CSR 


for 


Switch : 


Name= 


'sw 


143", 


IP=' 


10 


.32 


. 142 


143" 


5. 


Got 


a 


CSR 


for 


Switch : 


Name= 


'sw 


138", 


IP=' 


10 


.32 


. 142 


138" 


6. 


Got 


a 


CSR 


for 


Switch : 


Name= 


'sw 


142", 


IP=' 


10 


.32 


. 142 


142" 


7 . 


Got 


a 


CSR 


for 


Switch : 


Name= 


'Core swO 


IE 




10. 


32 . 142 .166 



Wrote 12824 bytes of switch data to file: "\\server\Working\CSR_Fabricl .xml" 
Success getting CSRs & writing them to a CSR file 
Press Enter to continue > 



The Functions menu is displayed. 

8. If you are ready to install digital certificate(s), type 2 from the list shown in the followi 
Functions menu; do not quit PKICert. 





PKI CERTIFICATE INSTALLATION UTILITY pki vl . 0 . 6 






FUNCTIONS 




1) 


Retrieve CSRs from switches S write a CSR file 




2) 


Install Certificates contained in a Certificate file 




3) 


Generate a Licensed-Product/Installed-Certif icates report 




4) 


Help using PKI-Cert to get & install certificates 




q) 


Quit PKI Certificate installation utility 




Enter choice> 2 
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After you type 2, the following information is displayed: 



PKI CERTIFICATE INSTALLATION UTILITY pki vl . 

Currently Connected Fabrics 

Fabric World Wide Name # Switches 
j-u.uu.uu.ou.oy.xx.ro.xy i j 


0 . 6 

Principal 
sec2 3 7 


Use Currently Connected Fabrics? 




y) Yes, continue with current fabric (s) 




n) No, input different Fabric addresses (es) 




enter your choice> y 





Select n (no) to input different fabric addresses. After you select y (yes), the following 
information is displayed: 



PKI CERTIFICATE INSTALLATION UTILITY pki vl . 0 . 6 




LOAD CERTIFICATES 




Enter the file-name of the Certificate input file. 




File Name ===> c:/6821.xml 




Is the filename "c : /6821 . xml" correct? (y/n) : y 




After you select y (yes) the following information is 


displayed: 


PKI CERTIFICATE INSTALLATION UTILITY pki vl . 0 . 6 



Choose a Fabric On Which to Operate 

Fabric World Wide Name # Switches Principal 



1) 10:00:00:60:69:ll:f8:f9 15 sec237 

a) All Fabrics 

r) Return to Functions menu 

enter your choice> 1 
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9, To quit installation, type q to quit the utility; then type y and press Enter to verify that you 
want to quit. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
FUNCTIONS 

1) Retrieve CSRs from switches & write a CSR file 

2) Install Certificates contained in a Certificate file 

3) Generate a Licensed-Product/ Installed-Certif icates report 

4) Help using PKI-Cert to get & install certificates 
q) Quit PKI Certificate installation utility 

Enter choice> q 

QUIT? (y/n) y 



Obtaining the digital certificate file 

The switch supplier provides the digital certificates in an XML file that is generated in response 
to the CSRs. Generally, the digital certificate file is provided by email. 

To obtain the digital certificate file, contact the switch supplier and provide the following 
information: 

• The CSR file generated in the previous procedure 

• Email address 

• Technical contact 

• Phone 

• Country 

The switch supplier provides a confirmation number and the digital certificate file, which 
contains a certificate for each CSR submitted. 

Save the digital certificate file on a secure workstation. The recommended location is in the 
directory with the CSR file. Making a backup copy of the digital certificate file and storing it in 
a secure location is recommended. 

Distributing digital certificates to the switches 

You can use PKICert utility to distribute the digital certificates to the switches in the fabric. The 
utility ensures that each digital certificate is installed on the corresponding switch. 

If you run the utility without any task argument, it defaults to interactive mode, in which it 
prompts for the required input. 
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§f NOTE: If this procedure is interrupted by a switch reboot, the certificate is not loaded and 
the procedure must be repeated. 



To load digital certificates onto one or more switches while retrieving CSRs, go to step 8 of 
the previous section, "Using the PKICert utility". 

To manually load digital certificates onto one or more switches: 

1. Open the PKICert utility. On a PC, double-click pkicert.exe. 

The utility prompts for the events log file name. 

2. Type a file name for the events log and press Enter; alternatively, press Enter to accept 
the default. The log file is automatically created in the same directory as pkicert.exe. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 

All events and errors will be recorded in an event/error log file. 
If the file already exists, new event/error information will be 
appended to it. 

Enter a log file name [or just press Enter to accept the default] . 
[pki_events.log] => pki_events_fabricl.log 

The utility prompts for the desired function. 

3. Type 2 to install the certificates and press Enter. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
FUNCTIONS 

1) Retrieve CSRs from switches & write a CSR file 

2) Install Certificates contained in a Certificate file 

3) Generate a Licensed-Product/Installed-Certif icates report 

4) Help using PKI-Cert to get & install certificates 
q) Quit PKI Certificate installation utility 

Enter choice> 2 

The utility prompts for the method of specifying fabric addresses. 
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4. Type the desired method for entering the fabric addresses. 



PKI CERTIFICATE INSTALLATION UTILITY pki_vl .0.6 
Choose a method for providing fabric addresses 

1) Manually enter fabric address 

2) Read addresses from a file (name to be given) 
r) Return to Main menu 

Type choice> 

To manually enter the fabric address: 

a. Type 1 and press Enter. 

The utility prompts for the IP address or switch name of a switch in the fabric. Only one 
switch name or IP address is required for each fabric. 

b. Type the IP address or switch name of one of the switches in the fabric and press 
Enter. 

At least one valid IP address must be entered to continue; the corresponding switch 
must be operating and available. When all the IP addresses have been entered, press 
Enter again to end the list. 

The utility prompts for the username and password for this switch. 

c. Type the username and password; then press Enter to continue. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 

Only one address per fabric is needed to get to all switches. 
Enter a list of one or more IP or DNS addresses (aliases) you 
wish to use (one per line) . End the list with an empty item. 

1 --> 10.32.142.167 

2 --> 

Connecting to Fabric (s) ... 

Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 

Username: admin 
Password: 

Logged into fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 
Press Enter to continue > 

To read the fabric addresses from a file: 
a. Type 2 and press Enter. 
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The utility prompts for the path and file name of the file. The addresses in the file must be IP 
addresses or switch names, each on a separate line. 

b. Type the path and file name of the file that contains the fabric addresses and press 
Enter. 



Enter the file - name of the Fabric Address file. 
File Name ===> \\server\Working\FabricAddresses 


. txt 






Connecting to Fabric (s) ... 








Login to fabric 1. principal switch WWN = 10:00: 

Username: admin 

Password: 


: 00 : 60 : 


•fiq- 


80:46:00 


Logged into fabric 1. principal switch WWN = 10: 


:00:00: 


■ 60 • 


69:80:46:00 


Press Enter to continue > 









The utility prompts for the path and file name of the digital certificate file provided by the 
switch supplier. 



5. Type the path and file name of the digital certificate file and press Enter. 

If the returned path and file name is correct, type y and press Enter; if not, type n, press 
Enter, retype the path and file name, and verify it is correct. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
LOAD CERTIFICATES 

Enter the file-name of the Certificates input file. 
File Name ===> \\server\Working\DC_Fabricl . xml 

Is the filename "\\server\Working\DC_Fabricl .xml" correct? (y/n) : y 

The utility prompts for which fabrics to install digital certificates to. 

6. Type 1 to distribute certificates only to the fabric identified earlier or a to install certificates 
to all discovered fabrics; then press Enter. 



PKI CERTIFICATE INSTALLATION UTILITY pki vl . 


0 . 6 


Choose a Fabric On Which to Operate 




Fabric World Wide Name # Switches 


Principal 


1) 10:00:00:60:69:80:46:00 7 

a) All Fabrics 

r) Return to Functions menu 


hostl swO 


enter your choice> 1 
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The new certificates are loaded onto the switches and the success or fail of each certificate 
is displayed. 

7. Press Enter to continue. 



PKI CERTIFICATE INSTALLATION UTILITY pki_vl .0.6 
Load Certificates onto 1 fabric (s) 



1. 


Loaded 


Certificate 


on 


Switch 


primaryf csswitch : WWN-10 : 00 : 00 : 60 : 6S 


: 11 


:fc 


:52 


2 . 


Loaded 


Certificate 


on 


Switch 


backupf csswitch : WWN- 


10 


00 


00 


60 


69: 


11 : 


fc: 


53 


3. 


Loaded 


Certificate 


on 


Switch 


backupf csswitch : WWN- 


10 


00 


00 


60 


69: 


11 : 


fc: 


54 


4. 


Loaded 


Certificate 


on 


Switch 


nonf csswitch : 


WWN-10 : 


00 


00 


60 


69 


11 : 


fc: 


55 




5. 


Loaded 


Certificate 


on 


Switch 


nonf csswitch : 


WWN-10 : 


00 


00 


60 


69 


11 : 


fc: 


56 




6. 


Loaded 


Certificate 


on 


Switch 


nonf csswitch : 


WWN-10 : 


00 


00 


60 


69 


11 : 


fc: 


57 




7 . 


Loaded 


Certificate 


on 


Switch 


nonf csswitch : 


WWN-10 : 


00 


00 


60 


69 


11 : 


fc: 


58 





7 Certificates were loaded, 
0 Certificate loads failed 

Press Enter to Continue. 



i-w™ NOTE: The sectelnet application can be used as soon as a digital certificate is installed on 
Ej the switch. 



8. Press Enter. 

The Functions menu is displayed. 

9. Type q to quit the utility; then type y and press Enter to verify that you want to quit. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
FUNCTIONS 

1) Retrieve CSRs from switches & write a CSR file 

2) Install Certificates contained in a Certificate file 

3) Generate a Licensed-Product/ Installed-Certif icates report 

4) Help using PKI-Cert to get & install certificates 
q) Quit PKI Certificate installation utility 

Enter choice> q 

QUIT? (y/n) y 

Verifying installation of the digital certificates 

The installation of the digital certificates can be verified through the CLI. 
To verify that digital certificates are installed on all the switches in the fabric: 
1 . Log in to one of the switches in the fabric as admin. 
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2. Display the PKI objects: 

• For Fabric OS v4.4.x, enter pkishow. If the switch is a Core Switch 2/64 or a 
two-domain SAN Director 2/128, enter this command on both logical switches. 

• For Fabric OS v3. 2.0, enter configShow "pki". 
The command displays the status of the PKI objects. 



-™K> NOTE: "Root Certificate" is an internal PKI object. "Certificate" is the digital certificate. 



Displaying PKI objects on Fabric OS v4..0: 



switch : admin> pkishow 
Passphrase : Exist 

Private Key : Exist 

CSR : Exist 

Certificate : Exist 

Root Certificate: Exist 



Displaying PKI objects on Fabric OS v3.2.0: 



switch : admin> conf igshow "pki 

Passphrase : Exist 

Private Key : Exist 

CSR : Exist 

Certificate : Exist 

Root Certificate: Exist 



3. Verify that Certificate displays Exist. 

If the certificate shows Empty but the other objects show Exist, repeat the procedure 
provided in "Distributing digital certificates to the switches" on page 34. 

If any of the other objects show Empty or the command displays an error message, 
re-create the objects as described in "Recreating PKI objects if required" on page 39. 

4. Repeat for the remaining switches in the fabric. 

Recreating PKI objects if required 

The PKI objects (except for the digital certificate) are automatically generated the first time 
Fabric OS v3.2.0 or v4.4.x is booted. If any of the PKI objects appear to be missing, in 
secure mode, the switch segments from the fabric and disables security. 

The PKI objects on Fabric OS v3.2.0 and v4.4.x can be regenerated by rebooting the switch. 
The PKI objects on Fabric OS v4.4.x can also be regenerated through the following 
procedure. 
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■m>? NOTE: Secure mode must be disabled to perform this procedure. 



To use the CLI to re-create the PKI objects on Fabric OS v4.4.x: 

1. Log in to the switch as admin. 

2. Type the pkiRemove command. If the switch is a Core Switch 2/64 or a two-domain 
SAN Director 2/128, enter this command on both logical switches. 

3. Type the pkiCreate command to create new PKI objects. New PKI objects are created 
without digital certificates. If the switch is a Core Switch 2/64 or a two-domain SAN 
Director 2/128, enter this command on both logical switches. The pkiCreate command 
does not work if secure mode is already enabled. 

4. Type the pkishow command. If the switch is a Core Switch 2/64 or a two-domain SAN 
Director 2/128, enter this command on both logical switches. 

The command displays the status of the PKI objects. 



Recreating 


PKI objects on Fabric OS v4.4.x: 


switch : admin> pkicreate 


Installing Private Key and Csr... 


Switch key pair and CSR generated. . . 


Installing Root Certificate... 


switch : admin> pkishow 


Passphrase 


Exist 


Private Key 


Exist 


CSR 


Exist 


Certificate 


Empty 


Root Certificate 


Exist 



5. Repeat for any other switches, as required. 



Creating PKI certificate reports 

Reports for PKI certification provide information about the number of licenses and switches 
enabled on your secured fabric. The reports can also be used to audit the fabric. 
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1. To create a PKI report, type 3 (shown in the following example), and follow the screen 
prompts. 



PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
FUNCTIONS 

1) Retrieve CSRs from switches & write a CSR file 

2) Install Certificates contained in a Certificate file 

3) Generate a Licensed-Product/Installed-Certif icates report 

4) Help using PKI-Cert to get & install certificates 
q) Quit PKI Certificate installation utility 

Enter choice> 3 

2. Type the desired method for entering the fabric addresses. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
Choose a method for providing fabric addresses 

1) Manually enter fabric address 

2) Read addresses from a file (name to be given) 
r) Return to Main menu 

Enter choice> 1 

To manually enter the fabric address: 

a. Type 1 and press Enter. 

The utility prompts for the IP address or switch name of a switch in the fabric. Only one 
switch name or IP address is required for each fabric. 

b. Type the IP address or switch name of one of the switches in the fabric and press 
Enter. 

At least one valid IP address must be entered to continue, and the corresponding 
switch must be operating and available. When all the IP addresses have been entered, 
press Enter again to end the list. 

The utility prompts for the username and password for this switch. 

c. Type the username and password; then press Enter to continue. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 

Only one address per fabric is needed to get to all switches. 
Enter a list of one or more IP or DNS addresses (aliases) you 
wish to use (one per line) . End the list with an empty item. 

1 --> 192.168.156.73 
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After you enter the IP address or name the utility logs in to the fabric. 



1 — 0 1 1 1 1 fci < — — Lily LU r aJJI 1L ^ o ) - . . 
















Login to fabric 1 . principal switch WWN = 10 


00 


00 


60 


69 


50 


Od 


9f 


Username: root 
Password: 
















Logged into fabric 1 . principal switch WWN = 


10 


00 


00 


60 


69 


50 


Od: 9f 


Press Enter to continue > 

















The utility prompts for information about the report file to be created. 



Enter the requested information: 

a. Type the path and file name for the report file to be created. Then, type y if the address 
was entered correctly; if not, type n and reenter the address. 

b. Type y to include licensed product data in the file; otherwise, type n. 

c. Type y to retrieve reports from all switches in the fabric or type n to retrieve reports 
only from switches that do not already have a digital certificate. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
CREATE REPORT ON LICENSED PRODUCTS 

You must enter the file-name of the report file to write. 



Note : 

* The named file will be created 

* The file-name may include a directory path 
that must already exist. 

* An extension of ' . xml ' will be appended to 
the file name if not already present. 

* If the file already exists, it will be 
overwritten . 



File Name ===> SFOS_FAB 

Is the filename "SFOS_FAB . xml" correct? (y/n) : y 

The utility prompts for which fabrics to write reports to. 
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4. Type 1 to write certificate reports only to the fabric identified earlier or a to write 
certificate reports to all discovered fabrics; then press Enter. 



PKI CERTIFICATE INSTALLATION UTILITY pki vl . 


0 . 6 


Choose a Fabric On Which to Operate 




Fabric World Wide Name # Switches 


Principal 


1) 10:00:00:60:69:50:0d:9f 2 

a) All Fabrics 

r) Return to Functions menu 


sec edge 2 


enter your choice> 1 





PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
Reporting on Licensed Products of these Fabrics: 
Fabric World Wide Name # Switches Principal 



1> 10:00:00:60:69:50:0d:9f 2 sec_edge_2 

Wrote 545 bytes of Lie Prod info to file: "SFOS_FAB . xml" 
Success compiling and writing license report. 
Press enter to continue. 

5. Press Enter. 

The Functions screen is displayed. 

6. Type q to quit the utility; then type y and press Enter to verify you want to quit. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
FUNCTIONS 

1) Retrieve CSRs from switches & write a CSR file 

2) Install Certificates contained in a Certificate file 

3) Generate a Licensed-Product/Installed-Certif icates report 

4) Help using PKI-Cert to get & install certificates 
q) Quit PKI Certificate installation utility 

Enter choice> q 
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Accessing PKI certificate help 

The purpose of PKI help is to obtain command line information about PKICert and obtain 
advice on advanced options for advanced users. 

To access PKI help: 

1. Select option 4 (as shown in the following example) and follow the screen prompts. 

PKI CERTIFICATE INSTALLATION UTILITY pki_vl . 0 . 6 
FUNCTIONS 

1) Retrieve CSRs from switches & write a CSR file 

2) Install Certificates contained in a Certificate file 

3) Generate a Licensed-Product/ Installed-Certif icates report 

4) Help using PKI-Cert to get & install certificates 
q) Quit PKI Certificate installation utility 

Enter choice> 4 



HELP USING PKI-CERT TO GET S INSTALL DIGITAL CERTIFICATIONS 

NOTE: This utility will only work with switches running a FAB-OS version 
that supports Fabric Security (e.g. >= v2.6, v3.2, v4.3) 

1) Use PKI-Cert to get CSR' s (Certificate Signing Requests) which will be 
written to a data file. The XML format file will contain CSR' s for each 
switch (identified by its WWN) . 

2) Next, Upload the CSR file to the Security Upgrade website. A data file 
will be emailed to you containing a set of digital Certificates, one for each 
switch, in XML format. 

3) Finally, use PKI-Cert to install the Certificates. You will be prompted for 
the name of the data file containing the certificates. 

Some options may be given on the command line such as "Log-Level." 
Read help for Batch/Command-Line mode usage (y/n) ? > y 
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HELP WITH COMMAND LINE USEAGE OF PKI CERTIFICATE UTILITY 

pkicert [-gGil] [_e log-file] [-d data-file] [-a addr-file] [-A switch-addr] [-L 
log-level] [-u user-login -p password] 

Task Options: 

-g Get CSRs & generate a CSR data file 

-G Get CSRs (even from switches with certificates) 

-i Install Certificates from a data file 

-1 Licensed Product Report compile & generate 
If none of the above "task" options is given, Pki-Cert will operate in 
"Interactive" rather than "Batch" mode. 

Other OPtions: 

Log-file: -e (events/errors log) 

Path/ file-name of log file created and written to (or if it already exists, 
apprended to ) with event/error data 
<Press Enter to Continue> 



Data-file: -d 

Path/ file-name of input or output file 

* If the task is "Get-CSRs" or "License Rpt", the file is an output file 
created and written to with CSR or License report data. 

* If the task is "Install Certificates", dat is read from it. 

Address-file: -a 

Path/ file-name of optional input file containing IP addresses or aliases of 
fabrics to which sessions should be established. If this argument is not provided, 
this data is read from the file indicated by environment variable 
, FABRIC_CONFIG_FILE' . 

Address — IP: -A 

IP address of switch/fabric with which to connect for the given task. 
Log-Level: -L 

Level of information to write to the event log file: 

0 = Silent, 1 = Errors, 2 = Events + Errors, 3 = Debug-info tEvents + ... 
<Press Enter to Continue> 
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2. To end help, press Enter. 



User Login: — u 




User name or account login for switch given with A 


option or for use as 


default for all switches given. 




Password: -p 




Password must accompany "-u UserLogin" if provided. 


It must be more than 5 


characters . 




END Of HELP with Batch Usage 




<Press Enter to Continue> 





Adding Secure Fabric OS to HP StorageWorks 
enterprise class switches 

The two logical switches in Core Switch 2/64 and SAN Director 2/1 28 (configured as two 
domains) switches require a slightly different procedure from other Fabric OS switches. This 
procedure applies whether the switches are shipped with or upgraded to Fabric OS v4.4.x. 



A CAUTION: Placing the two switches from the same director in separate fabrics is not 
supported if secure mode is enabled on one or both switches. 



Status messages from any logical switch are broadcast to the serial console and telnet 
sessions on all logical switches. All broadcast messages display the switch instance. 
Messages that originate from a switch instance other than the one to which the telnet session 
is logged in can be ignored. 



To set up Secure Fabric OS on a Core Switch 2/64 or two-domain SAN Director 2/1 28: 

1. Open a telnet or Secure Shell session to the IP address of either of the logical switches. 

sectelnet can also be used if the switch was shipped with Fabric OS v4.4.x (and therefore 
already has a digital certificate). 



r*H™> NOTE: Fabric OS v4.4.x maintains separate login accounts for each logical switch. 



2. Type the version command. This shows the firmware version installed on the active CP. 
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If the firmware is Fabric OS v4.0.0c or later, the f irmwareShow command can be 
entered for more detailed information about which firmware versions are installed. 



SW12000 :admin> version 
Kernel: 2.4.2 
Fabric OS: v4.0.2 

Made on: Fri Feb 1 23:02:08 2002 
Flash: Fri Feb 1 18:03:35 2002 
BootProm: 4.2.13b 

SW12 0 0 0 : admin> firmwareshow 

Local CP (Slot 5, CP0) : Active 
Primary partition: v4 . 0 . 2 
Secondary Partition: v4 . 0 . 2 
Remote CP (Slot 6, CP1) : Standby 
Primary partition: v4 . 0 . 2 
Secondary Partition: v4 . 0 . 2 



3. If the firmware version is not Fabric OS v4.4.x or later, back up the configuration and 
install Fabric OS v4.4.x or later on both CPs. For instructions, refer to "Upgrading to a 
compatible version of Fabric OS" on page 26. 

4. Log in to one logical switch and change the account passwords from the default values, as 
described in "Customizing the account passwords" on page 27; then, log in to the other 
logical switch and change the passwords from the default values. 

5. If the logical switches are in separate fabrics, synchronize the fabrics by connecting them 
to a common external network time protocol (NTP) server. 



§f NOTE: If the fabric contains any switches running Fabric OS v4.4.x or later, the server must 
support a full NTP client. For switches running Fabric OS v3.2.0, the server can be SNTP or 
NTP. 



a. Open a telnet or Secure Shell session to either of the logical switches. 

b. Type tsclockserver "IP address of NTP server". 

c. The IP address can be verified by reentering the command with no operand, which 
displays the current setting. 
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d. Repeat for the other logical switch. 

SW12000switchO : admin> tsclockserver "132.163.135.131" 
switch : admin> tsclockserver 

132.163.135.131 

SW12000switchO : admin> login 
login: admin 
Password: xxxxxx 

12000switchl : admin> tsclockserver "132.163.135.131" 

12000switchl : admin> tsclockserver 
132.163.135.131 

6. Ensure that both logical switches have a Secure Fabric OS license activated, as described 
in "Verifying or activating the Secure Fabric OS and Advanced Zoning licenses" on 



-wj^> NOTE: Only one license key is required to enable the same feature on both logical switches. 



7. Ensure that both logical switches have a Advanced Zoning license activated, as described 

in "Verifying or activating the Secure Fabric OS and Advanced Zoning licenses" on 
page 24. 

8. If the firmware was upgraded, perform the following steps: 

a. Download and install the PKICert utility on the computer workstation, if not already 
installed, as described in "Installing the PKICert utility" on page 28. 

b. Use the PKICert utility to create a file containing the certificate signing requests (CSRs) 
of all the switches in the fabric, as described in "Using the PKICert utility" on page 28. 

c. Obtain digital certificates from the switch supplier, as described in "Obtaining the 
digital certificate file" on page 34. 

d. Use the PKICert utility to load the certificates onto both logical switches, as described in 
"Distributing digital certificates to the switches" on page 34. 

e. Verify that the digital certificates are installed on both logical switches, as described in 
"Verifying installation of the digital certificates" on page 38. The pkiShow command 
referenced in this procedure must be executed from both logical switches. 



page 24. 
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Installing a supported CLI client on a computer 
workstation 

Standard telnet sessions work only until secure mode is enabled. The following telnet clients 
are supported after secure mode has been enabled: 

• sectelnet 

sectelnet is a secure form of telnet that is available for switches running Fabric OS v3.2.0 
or v4.4.x. For instructions on installing the sectelnet client, refer to the following 
procedures. 

• SSH 

SSH is a secure form of telnet that is supported only for switches running Fabric OS v4.1 .x 
and later. You can use SSH clients that use version 2 of the protocol (for example, 
OpenSSH or F-Secure). 

sectelnet is provided on the Partner Web site. It can be used as soon as a digital certificate is 
installed on the switch. 



A CAUTION: Ensure that all intermediate hops are secure when accessing a switch by way of 
sectelnet or SSH; otherwise, user passwords might be compromised. 



To install the sectelnet client on a Solaris workstation: 

1. Obtain the Solaris version of the sectelnet file from the switch supplier and copy the file 
onto the workstation computer. 

2. Decompress the tar file and install it to a location that is "known" to the computer, such as 
in the directory containing the standard telnet file. The location must be defined in the / 
environmental variable. 

To install the sectelnet client on a PC workstation: 

1 . Obtain the PC version of the sectelnet file from the switch supplier and copy the file onto 
the workstation computer. 

2. Double-click the zipped file to decompress it. 

3. Double-click the setup.exe file. 

4. Install sectelnet.exe to a location that is "known" to the computer, such as in the 
directory containing telnet.exe. The location must be defined in the path environmental 
variable. 

sectelnet.exe is available as soon as setup completes. 
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Configuring authentication 



By default Secure Fabric OS on Fabric OS v3.2.0 and v4.4.x uses SLAP or FCAP protocols 
for authentication. These protocols use digital certificates, based on switch WWN and PKI 
technology to authenticate switches. Support for FCAP is provided in Secure Fabric OS 
v3.2.0 and v4.4.x and is used when both switches support it. Authentication automatically 
defaults to SLAP when a switch does not support FCAP. 

Alternatively, you can configure Secure Fabric OS to use DH-CHAP authentication. Use the 
authutil command to configure the authentication parameters used by the switch. When 
you configure DHOHAP, authentication, you also must define a pair of shared secrets known 
to both switches. Figure 1 shows how the secrets are configured. In the pair, one is the local 
switch secret and the other is the peer switch secret. (Terms local and peer are relative to an 
initiator, or one who initiates authentication is local, and the one who responds is peer.) 

Use secAuthSecret to set shared secrets on the switch. Configured, shared secrets are 
used at the next authentication. Authentication occurs whenever secure mode is enabled or 
whenever there is a state change for the switch or port. The state change can be due to a 
switch reboot, or a switch or port enable or disable. 



Key database on switch 

Local secret A 
Peer secret B 



Keydatabase on switch 

Local secret B 
Peer secret A 




Switch A 



Switch B 



Figure 1 DHOHAP authentication 



Selecting authentication protocols 



Use the authutil command to 



Display the current authentication parameters 

Select the authentication protocol used between switches 

Select the Diffie-Hellman (DH) group for a switch 
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Authentication is only performed when secure mode is enabled, but you can run the 
authUtil command either while secure mode is enabled, or not. Run the command on the 
switch you want to view or change. 

This section illustrates using the authUtil command to display the current authentication 
parameters and to set the authentication protocol to DH-CHAP. Refer to the HP StorageWorks 
Fabric OS 4.x command reference guide\ox more details on the authUtil command. 

To view the current authentication parameter settings for a switch: 

1. Login to the switch as admin 

2. On a switch running Fabric OS v4.x, type authUtil --show; on a switch running 
Fabric OS v3.x, type authUtil "--show". 

Output similar to the following displays: 



AUTH TYPE 


HASH TYPE 


GROUP TYPE 


dhchap 


shal , md5 


0,1,2,3,4 



To set the authentication protocol used by the switch to DH-CHAP: 



1. Log in to the switch as admin 

2. On a switch running Fabric OS v4.x, type authUtil --set -a dhchap; on a switch 
running Fabric OS v3.x, type authUtil "--set -a dhchap". 

Output similar to the following displays: 

Authentication is set to dhchap. 

When using DH-CHAP, make sure that you configure the switches at both ends of a link. 



§f NOTE: If you set the authentication protocol to DH-CHAP, have not yet configured shared 
secrets and authentication is checked (for example you enable the switch), switch 
authentication fails. 
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Managing shared secrets 



When you configure the switches at both ends of a link to use DH-CHAP for authentication, 
you must also define a pair of shared secrets— one for each end of the link. Use the 
secAuthSecret command to 

• View the WWN of switches with shared secrets 

• Set the shared secrets for switches 

• Remove the shared secret for one or more switches 

This section illustrates using the secAuthSecret command to display the list of switches in 
the current switch's shared secret database and to set the pair of shared secrets for the current 
switch and a connected switch. Refer to the HP StorageWorks Fabric OS 4.x command 
reference guide \or more details on the secAuthSecret command. 



-3«w> NOTE: A Secure Fabric OS license is required to use the secAuthSecret command. 



When setting shared secrets, note that you are entering the shared secrets in plain text. Use a 
secure channel (for example, SSH or the serial console), to connect to the switch on which you 
are setting the secrets. 



To view the list of switches with shared secrets in the current switches database: 

1. Log in to the switch as admin. 

2. On a switch running Fabric OS v4.x, type secAuthSecret --show; on a switch 
running Fabric OS v3.x, type secAuthSecret "--show". 

The output displays the WWN, domain ID and name (if known) of the switches with 
defined shared secrets, for example: 

WWN Did Name 



10:00:00:60:69:80:07:52 Unknown 
10:00:00:60:69:80:07:5c 1 switchA 

To set shared secrets: 

1 . Login to the switch as admin 

2. On a switch running Fabric OS v4.x, type secAuthSecret --set; on a switch running 
Fabric OS v3.x, type secAuthSecret "--set". 
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This enters command interactive mode. The command returns a description of itself and 
needed input; then it loops through a sequence of switch specification, peer secret entry 
and local secret entry. To exit the loop, press Enter for the switch name. 



switchA : admin> secAuthSecret --set 

This command is used to set up secret keys for the DH-CHAP authentication. 
The minimum length of a secret key is 8 characters and maximum 4 0 
characters. Setting up secret keys does not initiate DH-CHAP 
authentication. If switch is configured to do DH-CHAP, it is performed 
whenever a port or a switch is enabled. 

Warning: Please use a secure channel for setting secrets. Using 
an insecure channel is not safe and may compromise secrets. 

Following inputs should be specified for each entry. 

1. WWN for which secret is being set up. 

2. Peer secret: The secret of the peer that authenticates to peer. 

3. Local secret: The local secret that authenticates peer. 

Press Enter to start setting up shared secrets > <cr> 

Enter WWN, Domain, or switch name (Leave blank when done) : 
10:20:30:40:50:60:70:80 

Enter peer secret: <hidden> 
Re-enter peer secret: <hidden> 
Enter local secret: <hidden> 
Re-enter local secret: <hidden> 

Enter WWN, Domain, or switch name (Leave blank when done) : 
10:20:30:40:50:60:70:81 

Enter peer secret: <hidden> 
Re-enter peer secret: <hidden> 
Enter local secret: <hidden> 
Re-enter local secret: <hidden> 

Enter WWN, Domain, or switch name (Leave blank when done) : <cr> 
Are you done? (yes, y, no, n) : [no] y 

Saving data to key store... Done . 
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3 Creating Secure Fabric OS policies 



Secure Fabric OS policies make it possible to customize access to the fabric. The FCS policy 
is the only required policy; all other policies are optional. 

To implement Secure Fabric OS policies: 

• Determine which trusted switches to use as FCS switches to manage Secure Fabric OS. 

• Enable secure mode in the fabric and specify the FCS switch and one or more backup FCS 
switches. This automatically creates the FCS policy. 

• Determine which additional Secure Fabric OS policies to implement in the fabric; then 
create and activate those policies. An access policy must be created for each 
management channel that are used. 

• Verify that the Secure Fabric OS policies are operating as intended. Testing a variety of 
scenarios to verify optimal policy settings is recommended. For troubleshooting 
information, refer to "Troubleshooting" on page 1 07. 

Secure mode is enabled by the secModeEnable command. You can use optional arguments 
to the command to automate some policy-creation tasks. Refer to the HP StorageWorks Fabric 
OS 4.x command reference guide for more information. 

This chapter contains the following sections: 

• Default Fabric and switch accessibility, page 56 

• Enabling Secure mode, page 57 

• Modifying the FCS policy, page 62 

• Creating Secure Fabric OS policies other than the FCS policy, page 66 

• Managing Secure Fabric OS policies, page 83 
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Default Fabric and switch accessibility 

Following is the default fabric and switch access when secure mode is enabled but no 
additional Secure Fabric OS policies have been created: 

• Switches: 

• Only the primary FCS switch can be used to make Secure Fabric OS changes. 

• Any HP StorageWorks switch can join the fabric, provided it is connected to the fabric, 
and meets the minimum Secure Fabric OS requirements (such as a Security and 
Advanced Zoning licenses, and digital certificates). 

• All switches in the fabric can be accessed through a serial port. 

• All switches in the fabric that have front panels (SAN Switch 2 Gbps switches) can be 
accessed through the front panel. 

• Computer hosts and workstations: 

• Any host can access the fabric by using SNMP. 

• Any host can access any switch in the fabric by using the CLI (such as by sectelnet or 
Secure Shell). 

• Any host can establish an HTTP connection to any switch in the fabric. 

• Any host can establish an API connection to any switch in the fabric. 

• Devices: 

§f NOTE: HP does not support SES at this time, although it appears in the Secure Fabric 
application, and throughout this guide. 

• All device ports can access SES. 

• All devices can access the management server. 

• Any device can connect to any Fibre Channel port in the fabric. 

• Zoning: node WWNs can be used for WWN-based zoning. 
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Enabling Secure mode 

Secure mode is enabled and disabled on a fabriowide basis. Secure mode can be enabled 
and disabled as often as desired; however, all Secure Fabric OS policies, including the FCS 
policy, are deleted each time secure mode is disabled, and they must be re-created the next 
time it is enabled. The Secure Fabric OS database can be backed up using the 
conf igUpload command. For more information about this command, refer to the HP 
StorageWorks Fabric OS 4.x command reference guide. 

Secure mode is enabled using the secModeEnable command. This command must be 
entered through a sectelnet, Secure Shell, or serial connection to the switch designated as the 
primary FCS switch. The command fails if any switch in the fabric is not capable of enforcing 
Secure Fabric OS policies. If the primary FCS switch fails to participate in the fabric, the role 
of the primary FCS switch moves to the next available switch listed in the FCS policy. 

The secModeEnable command performs the following actions: 

• Creates and activates the FCS policy. 

• Distributes the policy set (initially consisting of only the FCS policy) to all switches in the 
fabric. 

• Activates and distributes the local zoning configurations. 

• Fastboots any switches needing a reboot to bring the fabric up in secure mode. (Switches 
running Fabric OS v3.2.0 and v4.4.x do not need to be rebooted to enable secure mode.) 



i-w™ NOTE: After running secModeEnable from a switch with Fabric OS v3.2.0 or v4.4.x, 
fcZJ switches with previous OS versions reboot. Wait until the reboot of those switches completes, 
and then run secFabricShow to verify that all switches in the fabric are in a "Ready" state 
before running any commands that change security policies, passwords, or SNMP. 



Depending on whether optional arguments are specified or not, the command might also 
request new passwords for secure mode. 

By default: the only policy created is the FCS policy; this policy is implemented; no other 
Secure Fabric OS-related changes occur to the fabric. Other Secure Fabric OS policies can 
be created after the fastboots are complete. 



A CAUTION: Placing the two switches from the same Core Switch 2/64 or placing the two 
switches of a two-domain SAN Director 2/1 28 in separate fabrics is not supported if secure 
mode is enabled on one or both switches. 
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The following restrictions apply when secure mode is enabled: 

• Standard telnet cannot be used after secure mode is enabled; however, sectelnet can be 
used as soon as a digital certificate is installed on the switch. Secure Shell can be used at 
any time; however, telnet sessions opened prior to issuing secModeEnable remain open 
if secure mode is enabled using the option to preserve passwords. If telnet is completely 
prohibited, the telnet protocol should be disabled on each switch, using the configure 
command, prior to enabling secure mode. 

• A number of commands can only be entered from the FCS switches. Refer to "Command 
restrictions in Secure mode" on page 1 22 for a list of these commands. 

• If downloading a configuration to the switch: 

• Download the configuration to the primary FCS switch. A configuration downloaded to 
a backup FCS switch or non-FCS switch is overwritten by the next fabric-wide update 
from the primary FCS switch. 

• If the configdownload file contains an RSNMP policy, it must also contain a WSNMP 
policy. 

• The defined policy set in the configdownload file must have the following 
characteristics: 

• The defined policy set must exist. 

• The FCS policy must be the first policy. 

• The FCS policy must have at least one switch in common with the current defined 
FCS policy in the fabric. 

• The active policy set in the configdownload file must have the following characteristics: 

• The active policy set must exist. 

• The FCS policy must be the first policy. 

• The FCS policy must be identical to the active FCS policy in the fabric. 



r™>? NOTE: If any part of the configuration download process fails, resolve the source of the 
\zZJ problem and repeat the conf igDownload command. For information about troubleshooting 

the configuration download process, refer to the HP StorageWorks Fabric OS 4.x Fabric OS 

procedures user guide. 

After conf igDownload, the policy database might require up to 8 minutes to download. 



For information about displaying the existing Secure Fabric OS policies, see "Displaying 
individual Secure Fabric OS policies" on page 91 . 
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NOTE: Enabling secure mode fastboots all Fabric OS v2.6.x switches in the fabric. 



To enable secure mode in the fabric: 

1. Ensure that all switches in the fabric have the following: 

• Fabric OS v2.6.2, v3.2.0, or v4.4.x 

• An activated Secure Fabric OS license 

• An activated Advanced Zoning license 

• Digital certificate 

2. Ensure that any zoning configuration downloads have completed on all switches in the 
fabric. For information specific to zoning, refer to the HP StorageWorks Fabric OS 4.x 
Fabric OS procedures user guide. 

3. Open a sectelnet or Secure Shell connection to the switch that will be the primary FCS 
switch. The login prompt is displayed. 



NOTE: Most Secure Fabric OS commands must be executed on the primary FCS switch. The 
secModeEnable command must be entered through a sectelnet or Secure Shell session 



4. Log in to the switch as admin. 

5. Terminate any other sectelnet or Secure Shell sessions in the fabric (when using the 
secModeEnable command, no other sessions should be active) and ensure that any 
other commands entered in the current session have completed. 

6. Use the secModeEnable command to enable secure mode. 

Several optional arguments are available. This step illustrates three forms of the command: 

• Type secmodeenable --quickmode. 



NOTE: The secModeEnable command might fail if a switch running Fabric OS v2.6.x is in 
the fabric. Fabric OS v2.6.x supports a maximum security database size of 16 Kb. If you use 
--lockdown=dcc or --quickmode, a security database greater than 16 Kb can be 
created. Enable security successful using other secModeEnable operands. Refer to the for 
detailed command and operand information. 

Do not use the secModeEnable --currentpwd command until the passwords are 
changed from the factory defaults by answering the password prompts during the login. 
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Type secmodeenable. 



This version invokes the command's interactive mode; then, identify each FCS 
switch at the prompts, (as shown in the next example). Press Enter with no data to 
end the FCS list. 

• Type secmodeenable "fcsmember;...;fcsmember". 

fcsmember\% the domain ID, WWN, or switch name of the primary and backup 
FCS switches, with the primary FCS switch listed first. 

Refer to the HP StorageWorks Fabric OS 4.x command reference guide for other forms of 

the secModeEnable command. 

To enable secure mode using --quickmode: 

switch : admin> secmodeenable --quickmode 

Your use of the certificate-based security features of the software 
installed on this equipment is subject to the End User License Agreement 
provided with the equipment and the Certification Practices Statement, 
which you may review at http://www.switchkeyactivation.com/cps. By using 
these security features, you are consenting to be bound by the terms of 
these documents. If you do not agree to the terms of these documents, 
promptly contact the entity from which you obtained this software and do 
not use these security features. 

Do you agree to these terms? (yes, y, no, n) : [no] y 

This command requires Switch Certificate, Security license and Zoning 
license to be installed on every switch in the fabric. 

PLEASE NOTE: On successful completion of this command, login sessions 
may be closed and some switches may go through a reboot to form a secure 
fabric . 

Non-FCS admin password will be set the same as FCS admin password. 
ARE YOU SURE (yes, y, no, n) : [no] y 

Please enter current admin account password: 

Secure mode is enabled. 
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To enable secure mode using 
options: 



--lockdown=scc , 



--currentpwd, and 



--f cs 



switch : admin> secmodeenable --lockdown=scc --currentpwd --fcs "*" 

Your use of the certificate-based security features of the software 
installed on this equipment is subject to the End User License Agreement 
provided with the equipment and the Certification Practices Statement, 
which you may review at http://www.switchkeyactivation.com/cps. By using 
these security features, you are consenting to be bound by the terms of 
these documents. If you do not agree to the terms of these documents, 
promptly contact the entity from which you obtained this software and do 
not use these security features. 

Do you agree to these terms? (yes, y, no, n) : [no] y 

This command requires Switch Certificate, Security license and Zoning 
license to be installed on every switch in the fabric. 

PLEASE NOTE: On successful completion of this command, login sessions 
may be closed and some switches may go through a reboot to form a secure 
fabric . 

Non-FCS admin password will be set the same as FCS admin password. 
ARE YOU SURE (yes, y, no, n) : [no] y 

Please enter current admin account password: 

Secure mode is enabled. 

The command requests active consent to the terms of the license, requests the identity of the FCS 
switches, and requests the new passwords required for secure mode. 

7, Skip this step if you used the --quickmode or - -currentpwd options; otherwise, type 
the following passwords at the prompts, using unique passwords that are different from the 
default values and contain between 8 and 40 alphanumeric characters: 

• Root password for the FCS switch 

• Factory password for the FCS switch 

• Admin password for the FCS switch 

• User password for the fabric 

• Admin password for the non-FCS switches 



rWj^) NOTE: The root and factory accounts are disabled on the non-FCS switches. If either of these 
lE_J logins is attempted on a non-FCS switch, an error message is displayed. 
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For example, to enter passwords after enabling secure mode: 

New FCS switch root password: 

Re-enter new password: 

New FCS switch factory password: 

Re-enter new password: 

New FCS switch admin password: 

Re-enter new password: 

New FCS switch user password: 

Re-enter new password: 

New Non FCS switch admin password: 

Re-enter new password: 

Saving passwd . . . done . 

Saving Defined FMPS . . . 

done 

Saving Active FMPS . . . 
done 

Committing configuration. . .done. 
Secure mode is enabled. 
Saving passwd ... done . 
Rebooting. . . 



All passwords are saved. The command distributes the new FCS policy and passwords to 
all switches in the fabric, activates the local zoning configurations, and fastboots all Fabric 
OS 2.6.2 the switches in the fabric. 



"2^> NOTE: Record the passwords and store them in a secure place. Recovering passwords might 



Only one FCS policy can exist, and it cannot be empty or deleted if secure mode is enabled. 
The FCS policy is named FCS_POLICY. 

Changes made to the FCS policy are saved to permanent memory only after the changes have 
been saved or activated; they can be aborted later if desired (see "Managing Secure Fabric 
OS policies" on page 83). 

The FCS policy can be modified through any of the following methods: 

• Using the secPolicyFCSMove command to change the position of a switch in the list, as 
described in "Changing the position of a switch within the FCS policy" on page 63 

• Using the secFCSFailover command to fail over the primary FCS switch role to the 
backup FCS switch from which the command is entered, as described in "Failing over the 
primary FCS switch" on page 64 
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Using the secPolicyAdd command to add members, as described in "Adding a 
member to an existing policy" on page 85 

Using the secPolicyRemove command to remove members, as described in "Removing 
a member from a policy" on page 86 



§f NOTE: If the last FCS switch is removed from the fabric, secure mode remains enabled but 
no primary FCS switch is available. To specify a new primary FCS switch, enter the 
secModeEnable command again and specify the primary and backup FCS switches. This is 
the only instance in which the secModeEnable command can be entered when secure mode 
is already enabled. 



The possible FCS policy states are shown in Table 2. 



Table 2 FCS policy states 



Policy state 


Characteristics 


No policy, or policy with no 
entries 


Not possible if secure mode is enabled. 


Policy with one entry 


A primary FCS switch is designated but there are no 
backup FCS switches. If the primary FCS switch becomes 
unavailable for any reason, the fabric is left without an FCS 
switch. 


Policy with multiple entries 


A primary FCS switch and one or more backup FCS 
switches are designated. If the primary FCS switch becomes 
unavailable, the next switch in the list becomes the primary 
FCS switch. 



You might not want to put Fabric OS v2.6.x switches in the FCS policy if your primary FCS 
switch is running Fabric OS v3.2.0 or v4.4.x and using Multiple User Accounts (MUA) 
because Fabric OS v2.6.x does not support MUA. Refer to the HP StorageWorks Fabric OS 
4.x Fabric OS procedures user guide for more information on MUA. 



Changing the position of a switch within the FCS policy 

The secPolicyFCSMove command can be used to change the order in which switches are 
listed in the FCS policy. The list order determines which backup FCS switch becomes the 
primary FCS switch if the current primary FCS switch fails. 

To modify the order of FCS switches: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 
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2. Type secPolicyShow "Defined", "FCS_POLICY". 

This displays the WWNs of the current primary FCS switch and backup FCS switches. 

3. Type secPolicyFCSMove, then provide the current position of the switch in the list and 
the desired position at the prompts. 

Alternatively, enter secPolicyFCSMove "From, To". From is the current position in the 
list of the FCS switch and To is the desired position in the list for this switch. 

For example, to move a backup FCS switch from position 2 to position 3 in the FCS list, 
using interactive mode: 

primaryf cs : admin> secpolicyf csmove 



Pos 


Primary 


WWN 












Did 


swName . 


1 


Yes 


10:00 


00 


60 


69 


10 


02 


181 


switch5 . 


2 


No 


10:00 


00 


60 


69 


00 


00 


5a2 


switch60 


3 


No 


10:00 


00 


60 


69 


00 


00 


133 


switch73 



Please enter position you'd like to move from : (1. .3) [1] 2 
Please enter position you'd like to move to : (1..3) [1] 3 



DEFINED POLICY SET 
FCS_POLICY 

Pos Primary WWN Did swName 



1 


Yes 


10 


00 


00 


60 


69 


10 


02 


181 


switch5 . 


2 


No 


10 


00 


00 


60 


69 


00 


00 


133 


switch73 


3 


No 


10 


00 


00 


60 


69 


00 


00 


5a2 


switch60 



4. Type secPolicyActivate. 

Failing over the primary FCS switch 

The secFCSFailover command is used to fail over the role of the primary FCS switch to the 
backup FCS switch from which the command is entered. This can be used to recover from 
events such as a lost Ethernet connection to the primary FCS switch. 

In addition to failing over the role of the primary FCS switch, this command moves the new 
primary FCS switch to the top of the list in the FCS policy. 



r% NOTE: Disabling a switch or removing it from the fabric does not change the order of the 
FCS policy. 

Before issuing the secFCSFailover command, ensure no other operations are 
simultaneously performed that cause the fabric to reconfigure; for example, haFailover or 
another secFCSFailover. Otherwise, secFCSFailover might hang. 
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During FCS failover to a backup FCS switch, all transactions in process on the current primary 
FCS switch are aborted, and any further transactions are blocked until failover is complete. 

To fail over the primary FCS switch: 

1. Log in as admin to the current primary FCS switch from a sectelnet or SSH session. 

1. If desired, view the current FCS list typing secPolicyShow 
"active" , "FCS_POLICY". 

For example, type secPolicyShow from the current primary FCS switch, "fcsswitcha": 



f csswitcha : admin> 


secpolicyshow 


"active" 


, "FCS_POLICY" 


ACTIVE POLICY SET 








FCS POLICY 








Pos Primary WWN 




Did 


swName 


1 Yes 10:00: 

2 No 10:00: 

3 No 10:00: 


00:00:00:00:11 

00:00:00:00:22 
00:00:00:00:33 


lcl 

2c2 
3c3 


fcsswitcha 
f csswitchb 
f csswitchc 



2. From a sectelnet or SSH session, log in as admin to the backup FCS switch to be 
designated as the new primary FCS switch and type secFCSFailover. 

For example, type secFCSFailover from the backup FCS switch "fcsswitchc" and then 
type secPolicyShow: 

fcsswitchc : admin> secf csf ailover 

This switch is about to become the primary FCS switch. 

All transactions of the current Primary FCS switch will be aborted. 

ARE YOU SURE (yes, y, no, n) : [no] y 

WARNING! ! ! 

The FCS policy of Active and Defined Policy sets have been changed. 
Review them before you issue secpolicyactivate again. 

fcsswitchc : admin> secpolicyshow "active" , "FCS_POLICY" 



ACTIVE POLICY SET 
FCS POLICY 



Pos 


PrimaryWWN 














Did 


swName 


1 


Yes 10: 


00 


00 


00 


00 


00 


33 


3c3 


fcsswitchc 


2 


No 10 : 


00 


00 


00 


00 


00 


11 


lcl 


fcsswitcha 


3 


No 10 : 


00 


00 


00 


00 


00 


22 


2c2 


f csswitchb 



The backup FCS switch becomes the new primary FCS switch, and the FCS policy is 
modified so that the new and previous primary FCS switches have exchanged places. 
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Creating Secure Fabric OS policies other than 
the FCS policy 

The FCS policy is automatically created when secure mode is enabled; other Secure Fabric 
OS policies can be created after secure mode is enabled. (Using the quickmode or lockdown 
options to the secModeEnable command also creates an SCC policy and a DCC policy.) 
The member list of each policy determines the devices or switches to which the policy applies. 

If a policy does not exist, then no Secure Fabric OS controls are in effect for that aspect of the 
fabric. If a policy exists but has no members, that functionality is disabled for all switches in 
the fabric. As soon as a policy has been created, that functionality becomes disabled for all 
switches except the members listed in the policy. 



§f NOTE: Save policy changes frequently; changes are lost if the switch is rebooted before the 
changes are saved. 



Each supported policy is identified by a specific name, and only one policy of each type can 
exist (except for DCC policies). The policy names are case sensitive and must be entered in all 
uppercase. Multiple DCC policies can be created using the naming convention 
DCC_POLICY_nnn, with nnn representing a unique string. 



|Wm> NOTE: Uploading and saving a copy of the Secure Fabric OS database after creating the 
\zZJ desired Secure Fabric OS policies is strongly recommended. The conf igUpload command 
can be used to upload a copy of the configuration file, which contains all the Secure Fabric 
OS information. For more information about this command, refer to the HP StorageWorks 
Fabric OS 4.x command reference guide. 
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Policy members can be specified by IP address, device port WWN, switch WWN, domain 
IDs, or switch names, depending on the policy. The valid methods for specifying policy 
members are listed in Table 3. 



Table 3 Valid methods for specifying policy members 



Policy name 


IP address 


Device 
port WWN 


Switch 
WWN 


Domain 
IDs 


Switch 
names 


FCS_POLICY 


No 


No 


Yes 


Yes 


Yes 


MAC Policies: 




RSNMP_POLICY 


Yes 


kin 

1 NO 


kin 
1 NO 


Nn 
1 NO 


Nn 
1 NO 


WSNMP_POLICY 


Yes 


Nn 
1 NO 


kin 
1 NO 


Nn 
1 NO 


Nn 
1 NO 


TELNET_POLICY 


Yes 


No 


No 


No 


No 


HTTP_POLICY 


Yes 


No 


No 


No 


No 


API_POLICY 


Yes 


No 


No 


No 


No 


SES_POLICY 


No 


Yes 


No 


No 


No 


MS_POLICY 


No 


Yes 


No 


No 


No 


SERIAL_POLICY 


No 


No 


Yes 


Yes 


Yes 


FRONTPANEL_POLICY 


No 


No 


Yes 


Yes 


Yes 


OPTIONS_POLICY 




DCC_POLICY_nnn 


No 


Yes 


Yes 


Yes 


Yes 


SCC_POLICY 


No 


No 


Yes 


Yes 


Yes 



11% NOTE: Save policy changes frequently; changes are lost if the switch is rebooted before the 
hzJ changes are saved. Save policy changes frequently; changes are lost if the switch is rebooted 
before the changes are saved. 



Secure Fabric OS 5.0.0 user guide 67 



Creating a MAC policy 

Management Access Control (MAC) policies can be used to restrict the following 
management access to the fabric: 

• Access by hosts using SNMP, telnet/sectelnet/Secure Shell, HTTP, API 

• Access by device ports using SES or management server 

• Access through switch serial ports and front panels 

The individual MAC policies and how to create them are described in the following sections. 
By default, all MAC access is allowed; no MAC policies exist until they are created. 



rWw, NOTE: An empty MAC policy blocks all access through that management channel. When 
L£j creating policies, ensure that all desired members are added to each policy. 

Providing fabric access to proxy servers is strongly discouraged. When a proxy server is 
included in a MAC policy for IP-based management, such as the HTTP POLICY, all IP packets 
leaving the proxy server appear to originate from the proxy server. This could result in 
allowing any hosts that have access to the proxy server to access the fabric. 

Serial, Telnet, and API violations that occur on the standby CP of a chassis-based platform do 
not display on the active CP. Also, during an HA failover, security violation counters and 
events are not propagated from the former active CP to the current active CP. 



Creating an SNMP policy 

Read and write SNMP policies can be used to specify which SNMP hosts are allowed read 
and write access to the fabric. The SNMP hosts must be identified by IP address. 

• RSNMP_POLICY (read access) 

Only the specified SNMP hosts can perform read operations to the fabric. 

• WSNMP_POLICY (write access) 

Only the specified SNMP hosts can perform write operations to the fabric. 

Any host granted write permission by the WSNMP policy is automatically granted read 
permission by the RSNMP policy. 

How to create SNMP policies is described in "To create an SNMP policy:" on page 69. 
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Table 4 lists the expected read and write behaviors resulting from combinations of the RSNMP 
and WSNMP policies. 



Table 4 Read and write behaviors of SNMP policies 



RSNMP policy 


WSNMP policy 


Read result 


Write result 


Nonexistent 


Nonexistent 


Any host can read 


Any host can write 


Nonexistent 


Empty 


Any host can read 


No host can write 


Nonexistent 


Host B in policy 


Any host can read 


Only B can write 


Empty 


Nonexistent 


This combination is not supported. If the WSNMP 
policy is not defined, the RSNMP policy cannot 
be created. 


Empty 


Empty 


No host can read 


No host can write 


Empty 


Host B in policy 


Only B can read 


Only B can write 


Host A in policy 


Nonexistent 


This combination is not supported. If the WSNMP 
policy is not defined, the RSNMP policy cannot 
be created. 


Host A in policy 


Empty 


Only A can read 


No host can write 


Host A in policy 


Host B in policy 


A and B can read 


Only B can write 



To create an SNMP policy: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;..,; member". 

Policy name is WSNMP_POLICY or RSNMP_POLICY. Member is one or more IP addresses 
in dot-decimal notation. "0" can be entered in an octet to indicate that any number can be 
matched in that octet. 

For example, to create an WSNMP and an RSNMP policy to only allow IP addresses that 



match 1 92.1 68.5.0 read and write access to the 


fabric:. 


primaryf cs : admin> secpolicycreate "WSNMP POLICY" , 


'192.168.5.0" 


WSNMP POLICY has been created. 




primaryf cs : admin> secpolicycreate "RSNMP POLICY", 


'192.168.5.0" 


RSNMP POLICY has been created. 
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3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, refer to "Saving changes to Secure 
Fabric OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" 
on page 84. 

Telnet policy 

The Telnet policy can be used to specify which workstations can use sectelnet or Secure Shell 
to connect to the fabric. The policy is named TELNET POLICY and contains a list of the IP 
addresses for the trusted workstations (workstations that are in a physically secure area). 

When a Core Switch 2/64 or SAN Director 2/128 is in secure mode, sectelnet or SSH 
sessions cannot be opened to the active CP. This prevents potential violation of the Telnet 
policy, since the active CP can be used to access either of the logical switches on the Core 
Switch 2/64, or a two-domain SAN Director 2/1 28. However, sectelnet or SSH sessions can 
be established to the IP addresses of the logical switches and to the standby CP, if allowed by 
the Telnet policy. If the active CP fails over, any sectelnet or SSH sessions to the standby CP 
are automatically terminated when the standby CP becomes the active CP. 

How to create a Telnet policy is described after Table 5. 



i-H^> NOTE: Static host IP addresses are required to implement the Telnet policy effectively. Do not 
EI_J use DHCP for hosts that are in the TELNET_POLICY, because as soon as the IP addresses 
change, the hosts will no longer be able to access the fabric. Restricting output (such as 
placing a session on "hold" by use of a command or keyboard shortcut) is not recommended. 



This policy pertains to sectelnet and Secure Shell. It does not pertain to telnet access, because 
telnet is not available in secure mode. Use sectelnet as soon as a digital certificate is installed 
on the switch. 



§f NOTE: An empty TELNET POLICY blocks all telnet access. To prevent this, keep one or more 
members in the Telnet policy. If an empty Telnet policy is absolutely required, leave a 
meaningful entry in the API, HTTP, or SERIAL policies (or do not create these policies) to 
ensure that some form of management access is available to the switch. To restrict CLI access 
over the network to Secure Shell, disable telnet as described in "Telnet" on page 1 3. 
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The possible Telnet policy states are shown in Table 5. 



Table 5 Telnet policy states 



Policy State 


Description 


No policy 


Any host can connect by sectelnet or SSH to the fabric. 


Policy with no 
entries 


No host can connect by sectelnet or SSH to the fabric. 


Policy with entries 


Only specified hosts can connect by sectelnet or SSH to the 
fabric. 



To create a Telnet policy: 



1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;...; member". 

Policy_name is TELNET POLICY. Member is one or more IP addresses in dot-decimal 
notation. "0" can be entered in an octet to indicate that any number can be matched in 
that octet. 

3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, refer to "Saving changes to Secure 
Fabric OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" 
on page 84. 

For example, to create a Telnet policy to allow anyone on network 1 92.1 68.5.0 (where 0 
can be any number) to access the fabric through a sectelnet or Secure Shell session: 

primaryf cs : admin> secpolicycreate "TELNET_POLICY" , "192.168.5.0" 

TELNET_POL ICY has been created. 

HTTP policy 

The HTTP policy can be used to specify which workstations can use HTTP to access the fabric. 
This is useful for applications that use Internet browsers, such as Web Tools. 

The policy is named HTTP POLICY and contains a list of IP addresses for devices and 
workstations that are allowed to establish HTTP connections to the switches in the fabric. 
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Table 6 lists possible HTTP policy states. 



Table 6 HTTP policy states 



Policy State 


Characteristics 


No policy 


All hosts can establish an HTTP/HTTPS connection to any switch 
in the fabric. 


Policy with no 
entries 


No host can establish an HTTP/HTTPS connection to any switch 
in the fabric. 

Note: An empty policy causes the message "The page cannot 
be displayed" to display when HTTP/HTTPS access is 
attempted. 


Policy with entries 


Only specified hosts can establish an HTTP/HTTPS connection 
to any switch in the fabric. 



To create an HTTP policy: 



1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;.,.; member". 

Policy jiame is HTTP POLICY. Member is one or more IP addresses in dot-decimal notation. 
"0" can be entered in an octet to indicate that any number can be matched in that octet. 

3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, see "Saving changes to Secure Fabric 
OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" on 
page 84. 

For example, to create an HTTP policy to allow anyone on the network with IP address of 
192.168.5.0 (where "0" can be any number) to establish an HTTP connection to any 
switch in the fabric:. 

primaryf cs : admin> secpolicycreate "HTTP_POLICY" , "192.168.5.0" 

HTTP_POLICY has been created. 

API policy 

The API policy can be used to specify which workstations can use API to access the fabric and 
which ones can write to the primary FCS switch. 

The policy is named API POLICY and contains a list of the IP addresses that are allowed to 
establish an API connection to switches in the fabric. 
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Table 7 lists possible API policy states. 



Table 7 API policy states 



Policy State 


Characteristics 


No policy 


All workstations can establish an API connection to any switch 
in the fabric. 


Policy with no 
entries 


No host can establish an API connection to any switch in the 
fabric. 


Policy with entries 


Only specified hosts can establish an API connection to any 
switch in the fabric, and write operations can only be 
performed on the primary FCS switch. 



To create an API policy: 



1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;...; member". 

Policy_name is API POLICY. Member is one or more IP addresses in dot-decimal notation. 
"0" can be entered in an octet to indicate that any number can be matched in that octet. 

3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, refer to "Saving changes to Secure 
Fabric OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" 
on page 84. 

For example, to create an API policy to allow anyone on the network with an IP address of 
192.168.5.0 (where "0" can be any number) to establish an API connection to any switch 
in the fabric: 

primaryf cs : admin> secpolicycreate "API_POLICY" , "192.168.5.0" 

API POLICY has been created. 
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SES policy 



§f NOTE: HP does not support SES at this time, although it appears in the Secure Fabric 
application, and throughout this guide. 



The SES policy can be used to restrict which devices can be managed by SES commands. The 
policy is named SES_POLICY and contains a list of device port WWNs that are allowed to 
access SES and from which SES commands are accepted and acted upon. 

If secure mode is enabled, the SES client must be directly attached to the primary FCS switch. 
Then the SES client can be used to manage all the switches in the fabric through the SES 
product for switches. 

Table 8 shows the possible SES policy states. 



Table 8 SES policy states 



Policy State 


Characteristics 


No policy 


All device ports can access SES. 


Policy with no 
entries 


No device port can access SES. 


Policy with entries 


The specified devices can access 
SES. 



To create an SES policy: 



1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;...; member". 

Policy jiame is SESPOLICY. Member is a device port WWN. 

3. To save or activate the new policy, enter either secPolicySave or 
secPolicyActivate. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, refer to "Saving changes to Secure 
Fabric OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" 
on page 84. 

For example, to create an SES POLICY that allows access through a device that has a WWN of 
12:24:45:10:0a:67:00:40: 

primaryf cs : admin> secpolicycreate "SES_POLICY" , " 12 : 24 : 45 : 10 : Oa : 67 : 00 : 40" 

SES POLICY has been created. 
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Management server policy 

The Management Server policy can be used to restrict which devices can be accessed by the 
management server. Fabric configuration and control functions can be performed only by 
requesters that are directly connected to the primary FCS switch. The policy is named 
MS_POLICY and contains a list of device port WWNs for which the management server 
implementation in Fabric OS (designed according to FC-GS-3 standard) accepts and acts on 
requests. 

How to create a Management Server policy is described after Table 9, which shows the 
possible Management Server policy states. 

To create a Management Server policy: 



Table 9 Management server policy states 



Policy State 


Characteristics 


No policy 


All devices can access the management server. 


Policy with no 
entries 


No devices can access the management server. 


Policy with entries 


Specified devices can access the management 
server. 



1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;...; member". 
Policy_name is MS_POLICY. Member is a device WWN. 

3. To save or activate the new policy, enter either secPolicySave or 
secPolicyActivate. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, see "Saving changes to Secure Fabric 
OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" on 
page 84. 

For example, to create an MS_POLICY that allows access through a device that has a 
WWN of 1 2:24:45:1 0:0a:67:00:40: 

primaryf cs : admin> secpolicycreate "MS_POLICY" , " 12 : 24 : 45 : 10 : Oa : 67 : 00 : 40" 

MS POLICY has been created. 
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Serial port policy 

The Serial Port policy can be used to restrict which switches can be accessed by serial port. 
The policy is named SERIALPOLICY and contains a list of switch WWNs, domain IDs, or 
switch names for which serial port access is enabled. 

The serial policy is checked before the account login is accepted. If the Serial Port Policy exists 
and the switch is not included in the policy, the session is terminated. 

How to create a Serial Port policy is described after Table 1 0, which displays the possible 
serial port policy states. 



Table 10 Serial port policy states 



Policy State 


Characteristics 


No policy 


All serial ports of the switches in the fabric are enabled. 


Policy with no 
entries 


All serial ports of the switches in the fabric are disabled. 


Policy with entries 


Only specified switches can be accessed through the serial 
ports. 



To create a Serial Port policy: 



1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;...; member". 

Policy_name is SERIAL POLICY. Member is a switch WWN, domain ID, or switch name. If 
a domain ID or switch name is used to specify a switch, the associated switch must be 
present in the fabric for the command to succeed. 

3. To save or activate the new policy, enter either secPolicySave or 
secPolicyActivate. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, see "Saving changes to Secure Fabric 
OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" on 
page 84. 

For example, to create a SERIAL POLICY that allows serial port access to a switch that has 
a WWN of 1 2:24:45: 1 0:0a:67:00:40: 

primaryf cs : admin> secpolicycreate "SERIAL_POLICY" , " 12 : 24 : 45 : 10 : 0a : 67 : 00 : 40" 

SERIAL POLICY has been created. 
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Front panel policy 

The Front Panel policy can be used to restrict which switches can be accessed through the 
front panel. This policy only applies to HP StorageWorks 2Gbps switches, since no other 
switches contain front panels. The policy is named FRONTPANELPOLICY and contains a list 
of switch WWNs, domain IDs, or switch names for which front panel access is enabled. 

How to create a Front Panel policy is described after Table 1 1 , which displays the possible 
Front Panel policy states. 



Table 1 1 Front panel policy states 



Policy State 


Characteristics 


No policy 


All the switches in the fabric have front panel access enabled. 


Policy with no 
entries 


All the switches in the fabric have front panel access disabled. 


Policy with entries 


Only specified switches in the fabric have front panel access 
enabled. 



To create a Front Panel policy: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate " policy _name", "member;...; member". 

Policy_name is FRONTPANELPOLICY. Member is a switch WWN, domain ID, or switch 
name. If a domain ID or switch name is used to specify a switch, the associated switch 
must be present in the fabric for the command to succeed. 

3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, see "Saving changes to Secure Fabric 
OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" on 
page 84. 

For example, to create a Front Panel policy to allow only domains 3 and 4 to use the front 
panel: 

primaryf cs : admin> secpolicycreate "FRONTPANEL_POLICY" , "3; 4" 

FRONT PANEL POLICY has been created. 
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ting an options policy 

The Options policy can be used to prevent the use of node WWNs to add members to zones. 
This policy is named OPTIONS_POLICY and has only one valid value, 
"NoNodeWWNZoning". Adding this value to the policy prevents use of Node WWNs for 
WWN -based zoning. 

The use of node WWNs can introduce ambiguity because the node WWN might also be 
used for one of the device ports, as might be true with a host bus adapter (HBA). If the policy 
does not exist or is empty, node WWNs can be used for WWN-based zoning. Only one 
Options policy can be created. This policy cannot be used to control use of port WWNs for 
zoning. 

By default, use of node WWNs is allowed; the Options policy does not exist until it is created 
by the administrator. 

How to create an Options policy is described after Table 1 2, which displays the possible 
Options policy states. 



Table 12 Options policy states 



Policy State 


Characteristics 


No policy 


Node WWNs can be used for WWN-based 
zoning. 


Policy with no 
entries 


Node WWNs can be used for WWN-based 
zoning. 


Policy with entries 


Node WWNs cannot be used for WWN-based 
zoning. 



To create an Options policy: 



1. Log in to the primary FCS switch as admin from a sectelnet or Secure Shell session. 

2. Type secPolicyCreate "OPTIONS_POLICY", "NoNodeWWNZoning" 

3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, refer to "Saving changes to Secure 
Fabric OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" 
on page 84. 



Creating Secure Fabric OS policies 



4. To apply the change to current transactions, disable the switch then re-enable it by 
entering the switchDisable and switchEnable commands. This stops any current 
traffic between devices that are zoned using node names. 

primaryf cs : admin> secpolicycreate "OPTIONS_POLICY" , "NoNodeWWNZoning" 

OPTIONS_POLICY has been created. 

[If Creating a DCC policy 

Multiple DCC policies can be used to restrict which device ports can connect to which switch 
ports. The devices can be initiators, targets, or intermediate devices such as SCSI routers and 
loop hubs. By default, all device ports are allowed to connect to all switch ports; no DCC 
policies exist until they are created by the administrator. 

Each device port can be bound to one or more switch ports; the same device ports and switch 
ports might be listed in multiple DCC policies. After a switch port is specified in a DCC policy, 
it permits connections only from designated device ports. Device ports that are not specified in 
any DCC policies are allowed to connect only to switch ports that are not specified in any 
DCC policies. 



NOTE: Some older private loop HBAs do not respond to port login from the switch and are 
not enforced by the DCC policy. However, this does not create a security problem because 
these HBAs cannot contact any device outside of their immediate loop. 



DCC policies must follow the naming convention "DCC_POLICY_nnn," where nnn represents 
a unique string. To save memory and improve performance, one DCC policy per switch or 
group of switches is recommended. 

Device ports must be specified by port WWN. Switch ports can be identified by the switch 
WWN, domain ID, or switch name followed by the port or area number. To specify an 
allowed connection, enter the device port WWN, a semicolon, and the switch port 
identification. Following are the possible methods of specifying an allowed connection: 

• deviceportWWN;switchWWN (port or area number) 

• deviceportWWN;domainlD (port or area number) 

• deviceportWWN;switchname (port or area number) 
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Table 1 3 shows possible DCC policy states. 



Table 13 DCC policy states 



Policy State 


Characteristics 


No policy 


Any device can connect to any switch port in the fabric. 


Policy with no 
entries 


Any device can connect to any switch port in the fabric. An empty policy 
is the same as no policy. 


Policy with entries 


If a device WWN is specified in a DCC policy, that device is only 
allowed access to the fabric if connected to a switch port listed in the 
same policy. 

If a switch port is specified in a DCC policy, it only permits connections 
from devices that are listed in the policy. 

Devices with WWNs that are not specified in a DCC policy are allowed 
to connect to the fabric at any switch ports that are not specified in a 
DCC policy. 

Switch ports and device WWNs may exist in multiple DCC policies. 



-h^> NOTE: Notes provide important information to explain a concept or to complete a task 



To create a DCC policy: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyCreate "DCC_POLICY_nnn", "member;...; member". 

DCC_POLICY_nnn is the name of the DCC policy to be created; nnn is a string consisting 
of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC 
policies. Member contains device or switch port information: 
deviceportWWN;switch(port): 

• deviceportWWN is the WWN of the device port. 

• switch can be the switch WWN, domain ID, or switch name. The port can be specified 
by port or area number. Designating ports automatically includes the devices currently 
attached to those ports. The ports can be specified using any of the following syntax 
methods: 

(l-6)Selects ports 1 through 6. 

(*)Selects all ports on the switch. 
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[*]Selects all ports and all devices attached to those ports. 

[3, 9]Selects ports 3 and 9 and all devices attached to those ports. 

[1-3, 9]Selects ports 1, 2, 3, 9, and all devices attached to those ports. 

3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 

If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, see "Saving changes to Secure Fabric 
OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" on 
page 84. 

For example, to create a DCC policy "DCC_POLICY_server" that includes device 
"11 :22:33:44:55:66:77:aa" and port 1 and port 3 of switch domain 1 : 

primaryf cs : admin> secpolicycreate "DCC_POLICY_server" , 
"11 : 22 : 33 : 44 : 55 : 66 : 77 : aa; 1 (1 , 3) " 

DCC_POLICY_xxx has been created 

To create a DCC policy "DCC_POLICY_storage" that includes device port WWN 
"22:33:44:55:66:77:1 1 :bb," all ports of switch domain 2, and all currently connected 
devices of switch domain 2: 

primaryf cs : admin> secpolicycreate "DCC_POLICY_storage" , 
"22 : 33 : 44 : 55 : 66 : 77 : 11 : bb ; 2 [*] " 

DCC_POLICY_xxx has been created 

To create a DCC policy "DCC_POLICY_abc" that includes device 
"33:44:55:66:77:1 1 :22:cc" and ports 1-6 and port 9 of switch domain 3: 

primaryf cs : admin> secpolicycreate "DCC_POLICY_abc" , 
"33:44:55:66:77:ll:22:cc;3(l-6,9)" 

DCC_POLICY_xxx has been created 

To create a DCC policy "DCC_POLICY_example" that includes devices 
44:55:66:77:22:33:44:dd and 33:44:55:66:77:1 1 :22:cc, ports 1-4 of switch domain 
4, and all devices currently connected to ports 1-4 of switch domain 4: 

primaryf cs : admin> secpolicycreate "DCC_POLICY_example" , 
"44 : 55 : 66 : 77 : 22 : 33 : 44 : dd; 33 : 44 : 55 : 66 : 77 : 11 : 22 : cc ; 4 [1-4] " 

DCC POLICY xxx has been created 
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Creating an SCC policy 

The SCC policy is used to restrict which switches can join the fabric. Switches are checked 
against the policy each time secure mode is enabled, the fabric is initialized with secure mode 
enabled, or an EPort-to-EPort connection is made. 

The policy is named SCC_POLICY, and accepts members listed as WWNs, domain IDs, or 
switch names. Only one SCC policy may be created. 

By default, any switch is allowed to join the fabric; the SCC policy does not exist until it is 
created by the administrator. 



rH^> NOTE: When an SCC policy is activated, any non-FCS switches in the fabric not included in 
Lfj the policy member list, will be segmented from the fabric. 



The possible SCC policy states are shown in Table 14. 



Table 14 SCC policy states 



Policy state 


SCC policy enforcement 


No policy 
specified 


All switches may join the fabric. 


Policy specified, 
but with no 
members 


The SCC policy includes all FCS switches. All non-FCS switches are 
excluded. 

Only FCS switches may join the fabric. 


Policy specified, 
with members 


The SCC policy contains all FCS switches and any switches specified in 
the member list. Any non-FCS switches not explicitly specified are 
excluded. Only FCS switches and explicitly specified non-FCS switches 
may join the fabric. 



To create an SCC policy: 



1. Log in to the primary FCS switch as admin from a sectelnet or Secure Shell session. 

2. Type secPolicyCreate "SCC_POLICY", "member;...; member". 

Member indicates a switch that is permitted to join the fabric. Switches can be specified by 
WWN, domain ID, or switch name. An asterisk (*) can be entered to indicate all the 
switches in the fabric. 

3. To save or activate the new policy, enter either the secPolicySave or the 
secPolicyActivate command. 
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If neither of these commands is entered, the changes are lost when the session is logged 
out. For more information about these commands, see "Saving changes to Secure Fabric 
OS policies" on page 84 and "Activating changes to Secure Fabric OS policies" on 
page 84. 

For example, to create an SCC policy that allows switches that have domain IDs 2 and 4 
to join the fabric: 

primaryf cs : admin> secpolicycreate "SCC_POLICY" , "2;4" 

SCC POLICY has been created 



Managing Secure Fabric OS policies 

All Secure Fabric OS transactions must be performed through the primary FCS switch only, 
except for the secTrans Abort, secFCSFailover, secStatsReset, and 
secStatsShow commands. 

Multiple sessions can be created to the primary FCS switch from one or more hosts. However, 
the software allows only one Secure Fabric OS transaction at a time. If a second Secure 
Fabric OS transaction is started, it fails. The only secondary transaction that can succeed is 
the secTrans Abort command. 

All policy modifications are only saved in volatile memory until the changes are saved or 
activated. 

The following functions can be performed on existing Secure Fabric OS policies: 

• "Saving changes to Secure Fabric OS policies" on page 84 

Save changes to flash memory without actually implementing the changes within the 
fabric. This saved but inactive information is known as the "defined policy set." 

• "Activating changes to Secure Fabric OS policies" on page 84 

Simultaneously save and implement all the policy changes made since the last time 
changes were activated. The activated policies are known as the "active policy set." 

• "Adding a member to an existing policy" on page 85 

Add one or more members to a policy. The aspect of the fabric covered by each policy is 
closed to access by all devices/switches that are not listed in that policy. 

• "Removing a member from a policy" on page 86 

Remove one or more members from a policy. If all members are removed from a policy, 
that aspect of the fabric becomes closed to all access. The last member of the FCS_POLICY 
cannot be removed, because a primary FCS switch must be designated. 
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• "Deleting a policy" on page 86 

Delete an entire policy; however, keep in mind that doing so opens up that aspect of the 
fabric to all access. 

• "Aborting All uncommitted changes" on page 87 

Abort all the changes to the Secure Fabric OS policies since the last time changes were 
saved or activated. 

• "Aborting a Secure Fabric OS transaction" on page 87 

From any switch in the fabric, abort a Secure Fabric OS-related transaction that has 
become frozen (such as due to a failed host) and is preventing other Secure Fabric OS 
transactions. 

Each of these tasks is described in the subsections that follow. 

Saving changes to Secure Fabric OS policies 

You can save changes to Secure Fabric OS policies without activating them by entering the 
secPolicySave command. This saves the changes to the defined policy set. 



rH^> NOTE: Until the secPolicySave or secPolicyActivate command is issued, all policy 
LiJ changes are in volatile memory only and are lost if the switch reboots or the current session is 
logged out. 



To save changes to the Secure Fabric OS policies without activating them: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type the secPolicySave command. 

primaryf cs : admin> secpolicysave 

Committing configuration. . .done. 

Saving Define FMPS . . . 

done 

Activating changes to Secure Fabric OS policies 

Changes to the Secure Fabric OS policies can be implemented using the 
secPolicyActivate command. This saves the changes to the active policy set and 
activates all policy changes since the last time the command was issued. Policies cannot be 
activated on an individual basis; all changes to the entire policy set are activated by the 
command. 
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NOTE: Until a secPolicySave or secPolicyActivate command is issued, all policy 
changes are in volatile memory only and are lost upon rebooting. 



To activate changes to the Secure Fabric OS policies: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type the secPolicyActivate command: 

primaryf cs : admin> secpolicyactivate 

About to overwrite the current Active data. 
ARE YOU SURE (yes, y, no, n) : [no] y 
Committing configuration. . .done. 
Saving Defined FMPS . . . 

done 

Saving Active FMPS . . . 
done 

Adding a member to an existing policy 

You can add members to policies by using the secPolicyAdd command. As soon as a 
policy has been created, the aspect of the fabric managed by that policy is closed to access 
by all devices that are not listed in the policy. 

To add a member to an existing Secure Fabric OS policy: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyAdd " policy _name", "member;...; member". 

Policy_name is the name of the Secure Fabric OS policy. Member is the item to be added 
to the policy, identified by device or switch IP address, switch domain ID, device or switch 
WWN, or switch name. 

3. To implement the change immediately, enter the secPolicyActivate command. 
For example, to add a member to the MS_POLICY using the device port WWN: 

primaryf cs : admin> secpolicyadd "MS_POLICY" , " 12 : 24 : 45 : 10 : Oa : 67 : 00 : 40" 

Member (s) have been added to MS_POLICY. 

To add an SNMP manager to WSNMP_POLICY: 

primaryf cs : admin> secpolicyadd "WSNMP_POLICY" , "192.168.5.21" 

Member (s) have been added to WSNMP_POLICY . 
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To add two devices to the DCC policy, to attach domain 3 ports 1 and 3 (WWNs of 
devices are 1 1 :22:33:44:55:66:77:aa and 1 1 :22:33:44:55:66:77:bb): 



primaryf cs : admin> secpolicyadd "DCC_POLICY_abc" , 

"11 : 22 : 33 : 44 : 55 : 66 : 77 : aa ; 11 : 22 : 33 : 44 : 55 : 66 : 77 : bb ; 3 (1 , 3) 



Removing a member from a policy 



If all the members are removed from a policy, that policy becomes closed to all access. The 
last member cannot be removed from the FCS_POLICY, because a primary FCS switch must 
be designated. 

To remove a member from a Secure Fabric OS policy: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyRemove " policy _name", "member;...; member". 

Policy _name is the name of the Secure Fabric OS policy. Member is the device or switch to be 
removed from the policy, identified by IP address, switch domain ID, device or switch WWN, or 
switch name. 

3. To implement the change immediately, enter the secPolicyActivate command. 

For example, to remove a member that has a WWN of 1 2:24:45:1 0:0a:67:00:40 from 
MS policy: 

primaryf cs : admin> secpolicyremove "MS_POLICY" , " 12 : 24 : 45 : 10 : Oa : 67 : 00 : 40" 

Member (s) have been removed from MS_P0LICY. 



If an entire Secure Fabric OS policy is deleted, that aspect of the fabric becomes open to all 
access. 

To delete a Secure Fabric OS policy: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secPolicyDelete " policy _name" . 

policy _name is the name of the Secure Fabric OS policy. 

3. To implement the change immediately, enter the secPolicyActivate command. 
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NOTE: The FCS POLICY cannot be deleted. 



primaryf cs : admin> secpolicydelete "MS_POLICY" 

About to delete policy MS_POLICY. 
Are you sure (yes, y, no, n) : [no] y 
MS POLICY has been deleted. 



Aborting All uncommitted changes 

You can use the secPolicyAbort command to abort all Secure Fabric OS policy changes 
that have not yet been saved. This function can only be performed from the primary FCS 
switch. 

To abort all unsaved changes: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type the secPolicyAbort command. 

All changes since the last time the secPolicySave or secPolicyActivate 
commands were entered are aborted. 



primaryf cs : admin> secpolicyabort 

Unsaved data has been aborted. 



Aborting a Secure Fabric OS transaction 

You can use the secTransAbort command to abort a single Secure Fabric OS transaction 
from any switch in the fabric. This makes it possible to abort a transaction that has become 
frozen due to a failed host. If the switch itself fails, the transaction aborts by default. This 
command cannot be used to abort an active transaction. 

To abort a Secure Fabric OS transaction: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type the secTransAbort command. 

Any Secure Fabric OS transaction that was in process is aborted (except for the 
transaction of entering this command). 



primaryf cs : admin> sectransabort 

Transaction has been aborted. 
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4 Managing Secure Fabric OS 



Secure Fabric OS v2.6.2, v3. 2.0, and v4.4.x can be managed through Fabric Manager and 
sectelnet. In addition, Secure Shell is supported for Fabric OS v4.4.x. When secure mode is 
enabled for a fabric, all Secure Fabric OS administrative operations, all zoning commands, 
and some management server commands must be executed on the primary FCS switch. For a 
list of the commands and related restrictions, see "Secure Fabric OS commands" on 
page 1 1 7. 

This chapter contains the following sections: 

• Viewing Secure Fabric OS information, page 89 

• Displaying and resetting Secure Fabric OS statistics, page 93 

• Managing passwords, page 97 

• Resetting the version number and time stamp, page 1 02 

• Adding switches and merging fabrics with Secure mode enabled, page 103 

• Troubleshooting, page 1 07 

• Frequently asked questions, page 1 1 3 

Viewing Secure Fabric OS information 

You can display the following Secure Fabric OS information: 

• General Secure Fabric OS-related information about a fabric 

• Secure Fabric OS policy sets (active and defined) 

Information about one or more specific Secure Fabric OS policies 

For information about viewing the Secure Fabric OS statistics, see "Displaying and resetting 
Secure Fabric OS statistics" on page 93. 
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Displaying general Secure Fabric OS information 

You can use the secFabricShow command to display general Secure Fabric OS-related 
information about a fabric. 

To display general Secure Fabric OS-related information: 

1. Open a sectelnet or Secure Shell session to the primary FCS switch and log in as admin. 

2. Type the secFabricShow command. The command displays the switches in the fabric 
and their status (Ready, Error, Busy, or NoResp, for no response from the switch). 



primaryf cs : admin> secf abricshow 












Role WWN 


Did 


Status 


Enet IP 


Addr 


Name 


non-FCS 10:00:00:60:69:10:03:23 


1 


Ready 


192.168 


100 . 148 


"nonfcs" 


Backup 10:00:00:60:69:00:12:53 


2 


Ready 


192.168 


100 . 147 


"backup" 


Primary 10:00:00:60:69:22:32:83 


3 


Ready 


192.168 


100 . 135 


"primaryf cs" 


Secured switches in the fabric: 


3 











Viewing the Secure Fabric OS policy database 

Use the secPolicyDump command to display the Secure Fabric OS policy database, which 
consists of the active and defined policy sets. This command displays information without 
page breaks. 

To view the Secure Fabric OS policy database: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secpolicydump "listtype", " policy _name". 

Listtype is the type of Secure Fabric OS policy set. It can be active, defined, or an 

asterisk (*), which displays both versions of the policy. If a list type is not entered, both 
versions of the Secure Fabric OS policy display. Policy_name is the name of the Secure 
Fabric OS policy. If you do not specify a policy name, the command displays all the 
policies in the specified policy set. 

If you do not specify any operands, the command displays all policies in both the active 
and defined policy sets. 
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For example, to display all policies in both active and defined policy sets: 

primaryf cs : admin> secpolicydump 



DEFINED POLICY SET 

FCS_POLICY 

Pos Primary WWN Did swName 



1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs 

HTTP_POLICY 

IpAddr 



192.155.52.0 



ACTIVE POLICY SET 

FCS_POLICY 

Pos Primary WWN Did swName 



1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs 

HTTP_POLICY 

IpAddr 



192.155.52.0 
192.155.53.1 
192.155.54.2 
192.155.55.3 



Displaying individual Secure Fabric OS policies 

Use the secPolicyShow command to display information about one or more specified 
Secure Fabric OS policies. This command displays information, with page breaks. 

To display information about a specific Secure Fabric OS policy: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secpolicyshow "listtype", "policy_name". 

listtype is the type of Secure Fabric OS policy set. It can be active, defined, or an 

asterisk (*), which displays both versions of the specified policy. policy_name is the name 
of the Secure Fabric OS policy. If you do not specify a policy name, the command 
displays all the policies in the specified policy set. 

If you do not specify any operands, the command displays all policies in both the active 
and defined policy sets. 
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For example, to display all the policies in the defined policy set: 



primaryf cs : admin> secpolicyshow "defined" 




DEFINED POLICY SET 




FCS POLICY 






Pos Primary WWN 


Did swName 


1 Yes 


10:00:00:60:69:30:15:5c 


1 primaryfcs 


HTTP POLICY 






IpAddr 






192 . 155 . 52 . 


.0 




192.155.53. 


. 1 




192.155.54. 


. 2 




192.155.55. 


.3 




192.155.56. 


. 4 







To display the active version of the FCS policy: 



primaryf cs : admin> secpolicyshow "active", 


, "FCS_POLICY" 


ACTIVE POLICY SET 




FCS POLICY 




Pos Primary WWN 


Did swName 


1 Yes 10:00:00:60:69:30:15:5c 


1 primaryfcs 





Displaying status of Secure mode 

Use the secModeShow command to determine whether secure mode is enabled. 
To determine whether secure mode is enabled: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 
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2. Type the secModeShow command. The command displays the status of secure mode, the 
version number and time stamp, and the list of switches in the FCS policy. 

switch : admin> secmodeshow 

Secure Mode: ENABLED. 

Version Stamp: 9182, Wed Mar 13 16:37:01 2001. 
POS Primary WWN Did swName . 



1 Yes 10:00:00:60:69:00:00:5a 21 switch47. 

2 No 12:00:00:60:60:03:23:5b 5 switchl2 . 



Table 1 5 identifies the information that displays if secure mode is enabled. 
Table 15 Secure mode information 



Table heading 


Indicates 


Pos 


Position of switch in FCS list 


Primary 


"Yes" if switch is primary FCS, 
"no" if not 


WWN 


WWN of each FCS switch 


Did 


Domain ID of each FCS switch 


swName 


Switch name of each FCS switch 



Displaying and resetting Secure Fabric OS 
statistics 

Secure Fabric OS provides several statistics regarding attempted policy violations. This 
includes events such as the following: 

• A DCC policy exists that defines which devices are authorized to access which switch 
(port) combinations, and a device that is not listed in the policy tries to access one of the 
defined switch (port) combinations. 

• An attempt is made to log in to an account with an incorrect password. 
The statistics for all DCC policies are added together. 
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NOTE: Rebooting the switch resets all the statistics. Secure Fabric OS statistics can also be 
monitored through Fabric Watch. 



Each statistic indicates the number of times the monitored event has occurred since the 
statistics were last reset (secStatsReset command). For the Telnet policy, this includes all 
the automated login attempts made by the sectelnet or Secure Shell client software, in addition 
to the actual attempts made by the user. 

On dual-CP directors, statistics are maintained separately on each CP and are counted only 
on the active CP. If a director fails over from the active to the standby CP, statistics are not 
replicated to the standby CP. 

The names of the Secure Fabric OS statistics and their definitions are provided in Table 1 6. 



Table 16 Secure Fabric OS statistics 



Statistic 


Definition 


TELNETPOLICY 


The number of attempted violations to the Telnet policy (includes 
automated attempts made by client software). 


HTTP_POLICY 


The number of attempted violations to the HTTP policy. 


API_POLICY 


The number of attempted violations to the API policy (includes 
automated attempts made by client software). 


RSNMP_POLICY 


The number of attempted violations to the RSNMP policy. 


WSNMP_POLICY 


The number of attempted violations to the WSNMP policy. 


SES_POLICY 


The number of attempted violations to the SES policy. 


MS_POLICY 


The number of attempted violations to the MS policy. 


SERIAL_POLICY 


The number of attempted violations to the Serial policy. 


FRONTPANEL_POLICY 


The number of attempted violations to the Front Panel policy. 


SCC_POLICY 


The number of attempted violations to the SCC policy. 
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Table 16 Secure Fabric OS statistics (continued) 



Statistic 


Definition 


DCC_POLICY 


The number of attempted violations to the DCC policy. 

Note: Fabric OS v4.4.x increase the counter by 1 for each drive 

in r\ RijD* For\nr" MS \/^ / I) i n c vc± ncoc ino roi int^r r\\/ 1 Tt~\r f 

111 U J U V_/ VJ t 1 UUIIU V J.Z..U IIILlCUOUD IMC U UUIIICI Uy 1 IUI lilt; 

entire JBOD. 


L\*s \J 1 1 N 


Tn^ niirnnor cvt inun in r\c\ i n n m r~\tc: 
IMC IIUIIIUul \J\ IMVUIIU IUUIII UlltMIIUICi. 


INVALID_TS 

1 1 n\/o \\t~\ ti m £^ ctn m nc 1 
y i 1 1 v u i i u iiiiicdiuiii ub i 


A received packet has a time stamp that differs from the time of the 

rarQiuinri c\A/if/~n r\\/ mcM'o fnfin fn^ mnvimiim n n\won r\ i tt£> r£> n 
ICLCIVIIIU oWIILII UV IIIU1C IIIUII IMC 1 1 1UAI 1 1 IU 1 1 1 UIIUWCU U 1 1 1 CI CIIUC. 


INVALID_SIGN 

1 1 n\/o iH cinnnti i r^c 1 

^11 IVUIIU o IU 1 IU 1 U 1 Cci^ 


A received packet has a bad signature. 


INVALID_CERT 
(invalid certificates) 


A received certificate is not properly signed by the root CA of the 
receiving switch. 


AUTH FAIL 
(SLAP* failures) 


The switch received a SLAP that it could not verify, possibly due to 
bad certificates, bad signature, the other side not performing SLAP, 

r\ r Vl AP nn /"~ Uofc: fhrif \A/^r^ rc±r~P* i \/c^r\ m \\ r\i coni lanro Tnic roi int^r ic 

\J\ OLAAI UUCIxClj IMUI WCIC 1 CLCl VCU UUI \Jl ScUUcMLc. IMIo UUUIIICI \o 

not advanced if SLAP protocol does not complete, which can 
happen when a switch that does not have secure mode enabled is 

nttnrhon to /~i c\A/itv~n fnfif r\ ooc 
UIIULI ICU IU U oWIILII IMUI UUco. 


SLAP_BAD_PKT 
(SLAP* bad packets) 


SLAP packets are received with a bad transaction ID. 


TS_OUT_SYNC 
(TS out of 

cunrh rt~\r~\ \ ~7r\k ir^n l 

o y 1 1 1 KJi 1 IZ.U 1 IU 1 1 j 


The time server is out of synchronization with the primary FCS 
switch. 


NO_FCS (no fabric 
configuration server) 


The number of times the switch has simultaneously lost contact with 
all the switches in the FCS list. 


INCOMP_DB 
(incompatible Secure 
Fabric OS database) 


Secure Fabric OS databases are incompatible; might be due to 
different version numbers, time stamps, FCS policies, or secure 
mode status. 


ILLEGALCMD 
(illegal command) 


The number of times a command is issued on a switch where it is 
not allowed (such as entering secmodedisable on a non-FCS 
switch). 



* SLAP (Switch Link Authentication Protocol) is the switch-to-switch authentication process. 
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Displaying Secure Fabric OS statistics 

Use the secStatsShow command to display statistics for one or all Secure Fabric OS 
policies, depending on the operand entered. This command can only be issued from the 
primary FCS switch if the "list" operand is specified. If the "list" operand is not specified, this 
command can be entered from any switch in the fabric. 



rWw> NOTE: On dual-CP directors, statistics are maintained separately on each CP and are 
L£j counted only on the active CP. If a director fails over from the active to the standby CP, 
statistics are not replicated to the standby CP. 



To display Secure Fabric OS statistics: 

1. Log in to the primary FCS switch as admin from a sectelnet or Secure Shell session. 

2. Type secStatsShow "name", "list". 

Name \s the name of a Secure Fabric OS statistic or the policy that relates to the statistic. 
The valid statistic names are listed in Table 16. An asterisk (*) can be entered to indicate 
all statistics, //is/is a list of the Domain IDs for which to display the statistics. You can enter 
an asterisk (*) to indicate all switches in the fabric. The default value is that of the local 
switch. If neither operand is specified, all statistics for all policies are displayed. 

The statistic and number of related attempted policy violations are displayed. For example, 
to display Secure Fabric OS statistics for the Management Server policy: 

primaryf cs : admin> secstatsshow "MS_POLICY" 

Name Value 



MS 20 

Resetting Secure Fabric OS statistics 

The secStatsReset command can be used to reset statistics for a particular policy or all 
policies to 0. This command can be issued on any switch. Recording and resetting the 
statistics allows you to identify changes in traffic patterns since the statistics were last reset. 
This command can only be issued from the primary FCS switch if the "list" operand is 
specified. If the "list" operand is not specified, this command can be entered from any switch 
in the fabric. 

To reset a statistic counter to 0: 

1. Log in to the primary FCS switch as admin from a sectelnet or Secure Shell session. 

2. If desired, enter the secStatsShow command and record the current statistics. 

3. Type secStatsReset "name", "list" to reset the statistics. 
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name is the name of the statistic or the policy that relates to the statistic. The valid statistic 
names are listed in Table 1 6. You can enter an asterisk (*) to indicate all Secure Fabric 
OS statistics. 

//s/is a list of the domain IDs for which to reset the statistics. You can enter an asterisk (*) 
to indicate all switches in the fabric. The default value is that of the local switch. 

If neither operand is specified, all statistics for all Secure Fabric OS policies are reset to 0. 

The specified statistics are reset to 0. 

For example, to reset all statistics on a local switch: 

primaryf cs : admin> secstatsreset 

About to reset all security counters. 
Are you sure (yes, y, no, n) : [no] y 
Security statistics reset to zero. 

To reset the DCC_POLICY statistics on domains 1 and 69: 

primaryf cs : admin> secstatsreset "DCC_POLICY" , "1;69" 

Reset DCC POLICY statistic. 



This section provides the following information: 

• "Modifying passwords in Secure mode" on page 100 

• "Using temporary passwords" on page 101 

When secure mode is enabled, the following conditions apply: 

• The passwd command can only be entered on the primary FCS switch. 

• The root and factory accounts can only be accessed from the FCS switches. Attempting to 
access them from a non-FCS switch generates an error message. 

The admin account (or roles) remain available from all switches, but two passwords are 
implemented: one for all FCS switches and one for all non-FCS switches. 

• Temporary passwords can be created for specific switches, making it possible to provide 
temporary access to another user. 

The user account (or roles) remain available fabric-wide regardless of whether secure mode is 
enabled. The characteristics of the different accounts when secure mode is enabled and 
disabled are described in Table 1 7. 
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You can use the multiple user account (MUA) feature of Fabric OS v3.2.0 and v4.4.x if the 
primary FCS switch is running either Fabric OS version. The other switches do not need to be 
running a version of Fabric OS supporting MUA. 

If a digital certificate is installed, the sectelnet and API passwords are automatically 
encrypted, regardless of whether secure mode is enabled. HTTP only encrypts passwords if 
secure mode is enabled. 



NOTE: Record passwords and store them in a secure place; recovering passwords might 
' — ' require significant effort and result in fabric downtime. 
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Table 1 7 on page 99 summarizes login account behavior with secure mode disabled and 
enabled. 



Table 17 Login account behavior with Secure Mode disabled and enabled 



Login account 


Secure mode disabled 


Secure mode enabled 


User 

Recommended for all 
non-administrative options. 

Can use to modify user 
password. 


x -III II •■ 1 

Available on all switches. 

Password is specific to each 
switch; can modify using 
passwd command. 


A 'III II • i I <*— 

Available on all switches. Can 
create temporary passwords. 

Password is fabric wide; can 
modify using passwd 
command on the primary FCS 
switch. 


Admin 

Recommended for all 
administrative options. 

Can use to modify admin 
and user passwords. 


Available on all switches. 

Password is specific to each 
switch; can modify using 
passwd command. 


Available on all switches. Can 
create temporary passwords. 

Two passwords: 

• One for all FCS switches; 
can modify using passwd 
command on the primary 

|- /■*-■ C -i 1 

r(_b switch. 

• One for all non-FCS 
switches; can modify using 
secNonFCSPasswd 
command on the primary 
FCS switch. 


Root 

Creating for debugging 
purposes; not recommended 
for administrative operations. 

Can use to modify root, 
factory, admin, and user 
passwords. 


Available on all switches. 

Password is specific to each 
switch; can modify using 
passwd command. 


Available on FCS switches 
only. 

However, can temporarily 
enable root and factory 
accounts on non-FCS switches 
by creating a temporary 
password. 

Password is common to all FCS 
switches; can modify using 
passwd command on the 
primary FCS switch. 
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Modifying passwords in Secure mode 

The passwd command can be used to modify the fabric-wide user password and the 
passwords for the FCS switches. The secNonFCSPasswd can be used to modify the admin 
password for non-FCS switches. 



rw>^> NOTE: If the password is changed for a login account, all open sessions using that account 
Lfj are terminated, including the session from which the passwd command was executed, if 
applicable. 



Modifying the FCS switch passwords or the fabriowide user password 

The passwd command can be used to modify the passwords for the following accounts when 
secure mode is enabled: 

• The fabric-wide user account 

• The admin, root, and factory accounts on the FCS switches 

• Multiple user account (MUA) passwords for user-defined accounts 
To modify the passwords: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin, root, 
or factory, depending on which password you want to modify (use the account for which 
you want to modify a password or a higher-level account). 

2. Type the passwd command. 

3. Type the new passwords at the prompts. The passwords can be anywhere between 8 and 
40 alphanumeric characters in length. 

The passwords are distributed to all switches in the fabric and saved in the Secure Fabric 
OS database. Any existing telnet connections to the switches are terminated and must be 
reinitiated if access is required. 

switch : admin> passwd "admin" 

Changing password for admin 
Enter new password: 
Re-type new password: 
Password changed. 

Saving password to stable storage. 

Password saved to stable storage successfully. 

Modifying the non-FCS switch admin password 

The secNonFCSPasswd command can be used to modify the password for the admin 
account on non-FCS switches. Secure mode must be enabled to use this command. 
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To modify the admin password for non-FCS switches: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 
Type the secNonFCSPasswd command. 

2. Type the new non-FCS admin password at the prompt. The password can be anywhere 
from 8 to 40 alphanumeric characters in length. 

This password becomes the admin password for all non-FCS switches in the fabric. 

3. Reenter the new non-FCS admin password at the prompt. The password is distributed to all 
switches in the fabric and saved in the Secure Fabric OS database. Any existing 
admin-level telnet connections to these non-FCS switches are terminated. 

primaryf cs : admin> secnonf cspasswd 

Non FCS switch password: 
Re-enter new password: 
Committing configuration. . .done. 

Using temporary passwords 

Temporary passwords can be created to grant temporary access to a specific switch and 
login account without compromising the confidentiality of the permanent passwords; the 
permanent passwords also remain in effect. Temporary passwords can be removed; they are 
also automatically removed after a switch reboot. 



r3«j^> NOTE: If a temporary password is set on a backup FCS switch, and the backup FCS switch 
\zZJ then becomes the primary FCS switch, the temporary password remains in effect on that 
switch until the secTempPasswdReset command is entered. 



Creating a temporary password for a switch 

The secTempPasswdSet command can be used to create a temporary password. You must 
specify a login account and a switch Domain ID. 

To create a temporary admin password on a non-FCS switch: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secTempPasswdSet domain, "loginname". 

Domain is the Domain ID of the switch for which you want to set a temporary password. 
Login jiame is the login account for which you want to set the temporary password. 

3. Type the admin password at the prompt. 

4. Type an alphanumeric password between 8 and 40 characters in length. 
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5. Reenter the password exactly as entered the first time. 

For example, to create a temporary password for the admin account on a switch that has 
a Domain ID of 2: 

primaryf cs : admin> sectemppasswdset 2 , "admin" 

Set remote switch admin password: swimming 
Re-enter remote switch admin password: swimming 

Committing configuration done 

Password successfully set for domain 2 for admin. 

Removing a temporary password from a switch 

The secTempPasswdReset command can be used to remove the temporary password. The 
permanent password remains in effect. 

To remove the temporary password from a switch: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type secTempPasswdReset domain, "login_name". 

Domain is the domain ID of the switch for which you want to remove the temporary 
password. Login name is the login account to which the temporary password applies. 

You can enter the command with no parameters to reset all temporary passwords in the 
fabric. 

For example, to removing a temporary password for the admin account from a switch that 
has a domain ID of 2: 

switch : admin> sectemppasswdreset 2, "admin" 

Committing configuration done 

Password successfully reset on domain 2 for admin 



Resetting the version number and time stamp 

When a change is made to any information in the Secure Fabric OS database (zoning, 
policies, passwords, or SNMP), the current time stamp and a version number are attached to 
the Secure Fabric OS database. 

This information is used to determine which database is preserved when two or more fabrics 
are merged. The database of the fabric with a nonzero version stamp is kept. When merging 
fabrics, ensure that the version stamp of the database you want to preserve is nonzero; then, 
set the version stamp of all other fabrics to 0. To ensure that the time stamp of a fabric is 
nonzero, modify a policy and enter the secPolicySave or secPolicyActivate 
command. 
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To display the version number and time stamp of a fabric: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type the secModeShow command. 
To reset the time stamp of a fabric to 0: 

1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 

2. Type the secVersionReset command. If the fabric contains no FCS switch, you can 
enter the secVersionReset command on any switch. 

Adding switches and merging fabrics with 
Secure mode enabled 

To merge fabrics, all switches must be in the same state regarding secure mode and must 
have an identical FCS policy. Any switches that do not having a matching FCS policy or are 
in a different state regarding secure mode are segmented. For example, two fabrics that both 
have secure mode disabled can be merged, and two fabrics that both have secure mode 
enabled can be merged. 

When fabrics are merged, the fabric that contains the desired configuration information must 
have a nonzero version stamp, and all the other fabrics being merged must have zero version 
stamps. The Security policy set, zoning configuration, password information, multiple user 
account information, and SNMP community strings are overwritten by the fabric whose 
version stamp is nonzero. Before merging, verify that the fabric that contains all the desired 
information has the nonzero stamp. 



§f NOTE: As an exception to the rule of secure fabric mergers, when a non-FCS switch merges 
with a secure fabric, the primary switch propagates its secure database to the non-FCS switch. 
Propagation from the primary switch occurs even if the secure fabric has a zero version stamp 
and the non-FCS switch has nonzero version stamp. 

For general information about merging fabrics and instructions for merging fabrics that are 
not in secure mode, refer to the HP StorageWorks Fabric OS 4.x procedures user guide. 
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Table 1 8 indicates the results of moving switches in and out of fabrics with secure mode 
enabled or disabled. 



Table 18 Moving switches between fabrics 



Initial state 
of switch 


If set up as a 

standalone 

switch: 


If moved into a 
fabric that has 
Secure Mode 
enabled and a 
functioning 
primary FCS 
switch: 


If moved into a 
fabric that has 
Secure Mode 
enabled but no 
FCS switches 
are available: 


If moved into 
a non-secure 
fabric: 


Has secure 
mode 

enabled and 
is primary 
FCS switch in 
the FCS 
policy stored 
on switch. 


Forms a one 
switch fabric with 
secure mode 
enabled, and acts 
as primary FCS 
switch. 


Segments unless 
FCS policies are 
identical. If 
identical, switch is 
primary FCS switch 
unless other FCS 
switch is higher in 
the FCS policy. 


Segments unless 
FCS policies are 
identical. If 
policies are 
identical, switch 
becomes primary 
FCS switch. 


Segments from 
fabric. 


Has secure 
mode 

enabled and 
is backup 
FCS switch in 
the FCS 
policy stored 
on switch. 


Forms a one 
switch fabric with 
secure mode 
enabled, and acts 
as primary FCS 
switch. 


Segments unless 
FCS policies are 
identical. If policies 
are identical, 
switch is backup 
FCS switch. 


Segments unless 
FCS policies are 
identical. If 
policies are 
identical, switch 
becomes primary 
FCS switch. 


Segments from 
fabric. 


Has secure 
mode 

enabled and 
is non-FCS 
switch in the 
FCS policy 
stored on 
switch. 


Forms a one 
switch fabric with 
secure mode 
enabled but no 
FCS switch (to 
specify primary 
FCS switch, enter 
secModeEnable) 


Segments unless 
FCS policies are 
identical. If policies 
are identical, 
switch is non-FCS 
switch. 


Segments unless 
FCS policies are 
identical. If 
policies are 
identical, switch is 
a non-FCS switch. 


Segments from 
fabric. 


Has secure 

mode 

disabled. 


Standard 
operation. 


Segments from 
fabric. 


Segments from 
fabric. 


Standard 
operation. 
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NOTE: Although the following procedure does not require rebooting the fabric, there is 
potential for segmentation or other disruption to the fabric due to the number of factors 
involved in the merge process. 



To merge two or more fabrics that have Secure Fabric OS implemented: 

1. As a precaution, back up the configuration of each fabric to be merged by entering the 
conf igUpload command and completing the prompts. This also backs up the policies if 
Secure Fabric OS was already in use on the switch (such as on a 1 Gb switch running 
v2.6.x). 

2. Ensure that all switches to be merged are running Fabric OS v2.6.2, v3.2.0, or v4.4.x. 

a. Open a CLI connection (serial or telnet) to one of the switches in the fabric. 

b. Log in to the switch as admin. The default password is password. 

c. Type the version command. If the switch is a Core Switch 2/64 and SAN Director 
2/128, you can alternatively enter the firmwareShow command. 

d. If the switch is not running Fabric OS v2.6.2, v3.2.0, or v4.4.x upgrade the firmware 
as required. For information on upgrading firmware, refer to the HP StorageWorks 
Fabric OS 4.x procedures user guide. 

e. Customize the account passwords from the default values. 

f. Repeat for each switch that you intend to include in the final merged fabric. 

3. If the final merged fabric will contain switches running Fabric OS v2.6.2 or v3.2.0 and 
switches running Fabric OS v4.4.x, the PID mode on all switches must be compatible; for 
more information about PID modes, refer to the HP StorageWorks Fabric OS 4.x 
procedures user guide. 



NOTE: If you change the PID format used on the fabric (for example, from native mode to 
core PID mode), you need to create new DCC policies on each switch. 



4. Ensure that the Management Server Platform Service is consistently enabled or disabled 
across all the switches to be merged. For information about management server support 
provided by Fabric OS, refer to the HP StorageWorks Fabric OS 4.x procedures user 
guide. 

5. Ensure that all switches to be merged have activated Secure Fabric OS and Zoning 
licenses. 

6. Ensure that all switches to be merged have the required PKI objects (private key 
passphrase, switch private key, CSR, and root certificate) and a digital certificate 
installed. 

a. Log in to the switch as admin. 
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b. Type the command supported by the Fabric OS installed on the switch: 

• For Fabric OS v4.4.x, enter pkiShow. 

• For Fabric OS v2.6.2 and v3.2.0, enter conf igShow "pki". 
A list displays the PKI objects currently installed on the switch. 

NOTE: "Root Certificate" is an internal PKI object. "Certificate" is the digital certificate. 



c. Verify that all of the objects display "Exist". 

If the digital certificate displays "Empty," repeat the procedure provided in "Distributing 
digital certificates to the switches" on page 34. If any of the PKI objects other than the 
digital certificate displays "Empty", you can either reboot the switch to automatically 
re-create the objects or re-create them as described in "Recreating PKI objects if required" 
on page 39. 

d. Repeat for the remaining switches in the fabric. 

7. Install a supported CLI client on the computer workstations that you will be using to 
manage the merged fabric. Supported CLI clients include sectelnet and Secure Shell and 
are discussed in "Installing a supported CLI client on a computer workstation" on page 49. 

8. Enable secure mode on all switches to be merged by entering the secModeEnable 
command on the primary FCS switches of any fabrics that do not already have secure 
mode enabled. For more information about enabling secure mode, refer to "Enabling 
Secure mode" on page 57. 

9. Determine which switches you want to designate as primary FCS switch and backup FCS 
switches for the merged fabric; then, modify the FCS policy for eocfi fabric to list these 
switches as the primary FCS switch and backup FCS switches. Ensure that all the FCS 
policies are an exact match; they must list the same switches, with the switches identified in 
the same manner and listed in the same order. 

If a fabric has become segmented with secure mode enabled but no FCS switches 
available, enter the secModeEnable command and modify the FCS policy to specify FCS 
switches. This is the only instance in which this command can be entered when secure 
mode is already enabled. 

10. Modify the SCC policy on the final primary FCS switch (the one that will succeed as the 
primary FCS switch in the final merged fabric) to include all switches that are being 



1 1. Ensure that the final primary FCS switch has the desired Secure Fabric OS policy set, 
zoning configuration, password information, multiple user account information, and 
SNMP community strings. The primary FCS switch will distribute this information 
fabric-wide. 




merged. 
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12. Verify that the fabric that contains the final primary FCS switch has a nonzero version 
stamp by logging into the fabric and entering the secModeShow command. If this fabric 
does not show a nonzero version stamp, modify a policy and enter either the 
secPolicySave or secPolicyActivate command to create a nonzero version 
stamp. Set the version stamp of the other fabrics to 0 by logging in to each fabric and 
entering the secVersionReset command. 

13. If fabrics are to be rejoined after a segmentation, enter the switchDisable and 
switchEnable commands on each switch that was segmented from the primary FCS 
switch. For each ISL connected to the segmented switch, enter the portDisable and 
portEnable commands on both ISL ports. 

14. Physically connect the fabrics. The fabrics automatically merge and the Secure Fabric OS 
configuration associated with the primary FCS switch that has the nonzero version stamp 
is kept. 



Troubleshooting 

Some of the most likely issues with Secure Fabric OS management and the recommended 
actions are described in Table 19. The information in the table is based on the assumption 
that the fabric was originally fully functional and secure mode was enabled. 



■Wj? NOTE: Some of the recommended actions might interrupt data traffic. 



Table 19 Recovery processes 



Symptom 


Possible causes 


Recommended actions 


Secure Fabric OS 
policies do not 
appear to be in 
effect. 


Secure mode is not 
enabled. 


Type the secModeShow command. If secure mode is 
disabled, enter the secModeEnable command on the 
switch that you want to become the primary FCS switch and 
specify the FCS switches at the prompts. 


Policy changes 
have not been 
applied. 


Type the secPolicyShow command and review the 
differences between the active and defined policy sets. If 
desired, enter the secPolicyActivate command to 
activate all recent policy changes. 


Fabric has 
segmented. 


See possible causes and actions for "One or more switches 
has segmented from the fabric," later in this table. 



Secure Fabric OS 5.0.0 user guide 1 07 



Table 19 Recovery processes (continued) 



Symptom 


Possible causes 


Recommended actions 


Commands 
cannot be 

oyon ifoH fro m 

any switch in the 
fabric. 


All FCS switches 
have failed but 

OUCUIC IIIL^UC \o ollll 

enabled, 

preventing access 
to fabric. 


Type the secModeEnable command from the switch that 
you want to become the new primary FCS switch, and 

cr\^r*if\/ fno Ft S c\A/if/~n^c 
iucciiy nit i v—o owiiliicj. 

Note: Specify adequate backup FCS switches to prevent a 
recurrence of this problem. 


Cannot access 
some or all 
switches in the 
fabric. 


The MAC policies 
are restricting 
access. 

Note: An empty 

hAAl nn in/ r~\ o/~l^c 

1 V kJKJ\ it_y k»NtJt_l\o 

all access through 
that management 
channel. 


Use a serial cable to connect to the primary FCS switch; 
then, enter the secPolicyShow command to review the 
MAC policies. 

Modify policies as necessary by either entering valid entries 


Cannot access 
primary FCS 
switch by any 
management 
method. 


Primary FCS switch 
has failed or lost all 
connections. 


Log in to the backup FCS switch that you want to become the 
new primary FCS switch and enter the secFCSFailover 
command to reassign the primary FCS role to a backup FCS 
switch. 

If no backup FCS switches are available, enter the 
secModeEnable command to specify a new primary FCS 

• ■ 1 c •( 1 ill r/"*!* 'ill i 

switch, bpeaty adequate backup rLb switches to prevent a 
recurrence. 

Troubleshoot the previous primary FCS switch as required. 


A device or 
switch port listed 
in the SCC or in a 
DCC policy 
cannot be 
accessed. 


Switch port might 
be disabled. 


Type the switchShow command. If the port in question is 
disabled, enter the portEnable command. If the switch 
port still cannot be accessed, enter the portEnable 
command for the port on the other switch. 
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Table 19 Recovery processes (continued) 



Symptom 


Possible causes 


Recommended actions 


One or more CLI 
sessions is 
automatically 
logged out. 


Password might 
have been 
modified for login 
account in use, the 
secModeEnable 
command might 
have been issued, 
or switches might 
have changed 
switch roles 

fnrimf™ir\/ 
1 1 1 iui y \\j 

backup, backup to 
primary and so 
forth). 


Try closing and reopening CLI session. 


On chassis-based 
platforms, status 
messages from 
any logical switch 
are broadcast to 
the serial console 

nrin t^lnot 
KJ 1 IKJ Id 1 id 

sessions on all 
other logical 
switches. 


The status 
messages from any 
logical switch are 
normally broadcast 
to the serial 
console and telnet 

oCoolUl lo Ul I uii 

logical switches. 


All broadcast messages display the switch instance. 
Messages that originate from a switch instance other than 
the one to which the telnet session is logged in can be 
ignored. 


CLI session 

f £±-7c±c r\r rnnnot 

be established 
after secure mode 
is enabled. 


CP failed over and 

n ot\A/o r\s ro 1 1 1 1 n n 
iiciwuiix iL^uiiiiy 

cache(s) require 
updating. 


Try closing and reopening CLI session. If this fails, request 

tnnf v/oiir 1 nrlminictrntnr r^fr^cn fn<^ n^t\A/r^rl^ roi itor 

1 1 IKJ 1 VL^Ul LrAI N LJU 1 1 1 1 1 1 1 Ci 1 1 U 1 KJ\ Icllcbl 1 IMC IICIWUIIx lUUIUl 

cache(s). 


A policy that has 
been created is 
not listed by the 

secPolicyShow 
command. 


The new policy 
was not saved or 
activated. 


Save or activate the policy changes by entering the 

secPolicySave or secPolicyActivate command. 


Incorrect policy 
name used. 


Verify that the correct policy name was used. Policy names 
must be entered in all uppercase characters. 
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Table 19 Recovery processes (continued) 



Symptom 


Possible causes 


Recommended actions 


The message "The 
page cannot be 
displayed" is 
displayed when 

HTTP nrr^cc ic 
I I I I I ULLCoo \o 

attempted, and 
response time is 
slow. 


An HTTP policy has 
been created but 
has no members. 


Add the desired members to the HTTP policy. 


Unable to 
establish a 
sectelnet/SSH 
session to the IP 
address of the 
active CP of a 
Core Switch 
2/64 or SAN 
Director 2/128, 
or a session to the 

ctn nnnu I P ic 
oiui luuy v— .i io 

disconnected 
when it becomes 
the active CP. 


sectelnet/SSH 
sessions cannot be 
established to the 
IP address of the 
active CP in secure 
mode. This enables 
enforcement of 
Telnet policy for 
each logical 
switch. 


Establish a sectelnet/SSH session to the IP addresses of the 
logical switches or the standby CP instead (if allowed by 
Telnet policy). 


A security 
transaction 

uuucu ID IU 1 IUVC 

been lost. 


One of the 
switches in the 

IUUI lt_ ItUUUIcU 

while the 

transaction was in 
progress. 


Wait for the switch to complete booting; then, reenter the 
security command on the new primary FCS switch to 

<,KJi 1 1 LJi d t; lilt; 1 1 \J I loULI 1 \Jl 1 . 


Fabric segments 
after secure mode 
is enabled on a 
Core Switch 
2/64 or SAN 
Director 2/128. 


CPs failed over 
during process of 
enabling secure 
mode. 


Type secModeEnable again on the segmented switch, 
using the same FCS list as used before. 
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Table 19 Recovery processes (continued) 



Symptom 


Possible causes 


Recommended actions 


\_/llt; KJ\ \\\KJ\C 

switches is 
segmented from 
the fabric. 


SCC POI ICY is 
excluding the 
segmented 
switches. 


1 1 cci fho cQpPnl "i i""\/'ZiH/~l rnmmrinn r\ n fno nnmnrv/ Ft S 

Uic lilt ocLrUl ILyrlUU tt^l 1 II 1 IUI IU \J\\ IMC? LHIIIIUly 1 \_-J 

switch to add the switches to the SCC_POLICY. 


Note: For 

instructions on 
rejoining fabrics, 
refer to the 
instructions in 

"Adding switches 
and merging 


Management 
server services on 

lilt; oCU 1 1 1CM 1 IC?U 

switches are 
inconsistent with 
rest of fabric. 


Ensure that the Management Server Platform Service is 
consistently enabled or disabled across all the switches in 

tn^ fnr"\rn~ For i n fn rm n f i o n r\ r~ioi if fn^ mnnnnom^nt c^rw^r 

NIC ItlUllt. 1 \J\ \\\\\J\\\\\a\\\J\\ \aU\J\J\ lilt; 111 1 iVjvJvM Ivl 11 juI Vcl 

support provided by Fabric OS, refer to the HP 
StorageWorks Fabric OS 4.x command reference manual. 


fabrics with 
Secure mode 
enabled" on 
page 1 03. 


The segmented 

missing PKI 
objects. 


Determine the status of the PKI objects by following the 

inrr^r&iA 1 1 in "Vonn/mn inctn ntion of tn^ oioito oorf mootoc" 
ui t_jt_ctj u i c in vtJiiiyiiiy 1 1 1 0 1 ti 1 1 ti 1 1 t>i 1 \j\ iiic tiitjiitii Lui 1 1 1 1 tti 1 to 

on page 38. If any objects are missing, replace as 
described in "Recreating PKI objects if required" on 
page 39. 




ISLs to the 
segmented 

interrupted or a 
port failure 
occurred. 


Check the hardware connections and the port status for all 
ISLs between the segmented switches and the fabric. 




Configurations of 
the segmented 
switches diverged 

from r^cf of fno 

iCol Ul IMC? 

fabric. 


Disable the segmented switches, reset the configuration 
parameters to match the rest of the fabric, and reenable the 
switches. 




FCS policies on the 
segmented 
switches are not 
identical to the FCS 
policy of the fabric. 


If one or more switches is segmented without any FCS 
switches, enter the secModeEnable command on a 
segmented switch and specify an FCS policy that is identical 
to the FCS policy of the rest of the fabric. The segmented 
switch or group of switches is automatically fastbooted. 

If one or more switches is segmented along with a primary 
FCS switch, modify the FCS policy as required until it is 
identical to the FCS policy in the rest of the fabric. 



Table 19 Recovery processes (continued) 



Symptom 


Possible causes 


Recommended actions 


When the SCC 
policy is created 
after a fabric 
segmentation, it 

r\ 1 1 m c\\\(~ c\ \/ 

U U \ KJ\ I IU 1 H_U 1 1 V 

includes the 
segmented FCS 
switches. 


The segmented 
FCS switches are 
still listed in the 
FCS policy. 


Modify FCS policy to remove segmented FCS switches; then, 
modify or create the SCC policy as required. 


Passwords that 

chni i n r\a 
ol IUUIU uc 

consistent across 
the fabric are not 
consistent. 


A password 

I ctuvci y uuui u 1 1 kj\ \ 

might have been 
performed on one 
or more switches. 


To make the passwords the same, log in to the switch that 

linn mic uuoowuiu icLUvcicu n 1 1 n cmicm imc 

switchDisable command, followed by 
secVersionReset and switchEnable commands. 


Unsaved changes 
to the policies are 
lost. 


The primary FCS 
switch might have 
failed over. 


Reenter the changes; then, enter the secPolicySave or 
secPolicyActivate command. 


During sectelnet 
sessions, security 
does not enable 
and a hex dump 
displays. 


During the active 
sectelnet session, 
PKI objects (key 
and certificate) are 
removed and 
reinstalled from 
another login 
session. This results 
in the certificate in 
the current 
sectelnet session 
becoming invalid 
and displaying 
errors. 


Log out from your current sectelnet session and log back in. 
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Frequently asked questions 

This section organizes the frequently asked questions into the following groups: 

• General, page 1 1 3 

• Management access, page 1 14 

• Digital certificates and PKI objects, page 1 14 

• Merging fabrics, page 1 16 

• Passwords, page 1 1 6 

General 

Is Secure Fabric OS standards-based? 

Yes. Secure Fabric OS uses standards-based security mechanisms and protocols. 

Which switches and fabrics support Secure Fabric OS? 

Any switch that is running Fabric OS v2.6.2, v3.2.0, or v4.4.x as appropriate to the 
switch. 

Secure Fabric OS might be implemented across fabrics containing any mixture of 1 
Gbit/sec or 2 Gbit/sec switches running v2.6.2, v3.2.0, or v4.4.x. If switches is in the 
same fabric are running Fabric OS v3.2.0 or v4.4.x then the 1 Gb SAN switches must be 
running Fabric OS v.2.6.2. 

Can you enable Secure Fabric OS on some switches but not others in the same fabric? 

No. Secure Fabric OS is enabled on a fabric-wide basis. All switches in the fabric must 
support Secure Fabric OS for it to be effective. Any switches that do not have Secure 
Fabric OS installed are segmented from the rest of the fabric. 

How is Secure Fabric OS managed? 

Secure Fabric OS can be managed through the following methods: 

• A supported CLI client 

Secure Fabric OS v2.6.2, v3. 2.0, and v4.4.x support the sectelnet client. Secure Fabric 
OS v4.4.x also supports Secure Shell v2 clients. 

• Fabric Manager 

• Web Tools 

• Fabric Access (API) 
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Does Secure Fabric OS prevent all unauthorized access? 

There is no 100 percent protection in any network; however, the Secure Fabric OS 
product makes it possible for the administrator to create a significantly increased level of 
security that is customized to the fabric. 

After Secure Fabric is turned on, can it be turned off again? 

Yes, by using the secModeDisable command. Turning secure mode off does not disrupt 
traffic. 

What happens if I create a policy with no members in it? 

You cannot create an empty FCS Policy, but you can create other types of policies with no 
members. However, creating a policy with no members closes all access to that aspect of 
the fabric, which can result in preventing administrative access to the fabric. Before setting 
a policy, read all the information provided about that policy in "Creating Secure Fabric 
OS policies other than the FCS policy" on page 66. 

How do I prevent someone from adding a computer to the fabric and mounting a LUN? 

The following approaches can be used in conjunction, although no guarantees can be 
made of absolute security: 

• Store all the FCS switches in a physically secure area. 

• Use hardware-based zoning. 

• Create a DCC policy for each switch in the fabric. 

• Create an Options policy. 

Management access 

What version of SSH and the SSH clients does Fabric OS v4.4.x support? 

Fabric OS v4.4.x supports version 2 of the SSH protocol. Use a SSH client that supports 
version 2 of the protocol such as OpenSSH or F-Secure. 

Can I use standard telnet when secure mode is enabled? 

No, standard telnet is not supported when secure mode is enabled. However, sectelnet is 
available for Fabric OS v2.6.2, v3.2.0, and v4.4.x; SSH is also available for v4.4.x. 

Is SSH part of the Secure Fabric OS feature? 

No, SSH is automatically included with Fabric OS v4.4.x, regardless of whether the 
Secure Fabric OS license is activated. 

Digital certificates and PKI objects 

What is PKI? 
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PKI stands for Pubic Key Infrastructure; it refers to the use of cryptography to provide 
security (authentication, encryption, and so on.). 

Can digital certificates be duplicated or installed on other switches? 

No; digital certificates correspond to the switch WWN and the private/public key pair 
generated by the switch. 

Does the digital certificate have to be reinstalled if the motherboard is replaced? 

This depends on the version of Fabric OS on the new motherboard. Hardware shipped 
with Fabric OS v3.2.0 or v4.4.x automatically includes digital certificates. To determine 
whether the new motherboard already has a digital certificate, follow the instructions for 
verifying the PKI objects. 

Do all switches already have a digital certificate? 

No, only switches that were shipped with v3.2.0 or v4.4.x installed have digital 
certificates. For switches that are upgraded, follow the procedures provided in "Adding 
Secure Fabric OS to switches that require upgrading" on page 25. 

How can I tell whether the digital certificate or PKI objects are available on a switch? 

For Fabric OS v4.4.x, enter the pkiShow command. For Fabric OS v3.2.0, enter 

configShow "pki". 

What happens if the PKI objects are deleted? 

PKI objects cannot be deleted in secure mode. If they are deleted when secure mode is 
disabled, secure mode cannot be reenabled until they are regenerated. If any PKI objects 
are missing, all the PKI objects should be deleted using the pkiRemove command and 
then regenerated using the pkiCreate command or by rebooting the switch (any missing 
PKI objects, except the digital certificate, are automatically regenerated when the switch is 
rebooted). If the digital certificate is deleted, it must be reinstalled on the switch according 
to the instructions provided in "Distributing digital certificates to the switches" on page 34. 

For Fabric OS v3.2.0, use conf igRemove to remove all the PKI objects, 

conf igUpload, and then fastboot the switch. After the switch reboots, all PKI objects are 

available except for the certificate. 

Are PKI objects required for any switch operations other than Secure Fabric OS? 

The PKI objects are only required for Secure Fabric OS and the sectelnet client. 
Why can I issue the secModeEnable command with an invalid certificate? 

Web Tools and Fabric OS are not consistent in reporting switch certificate status. Web 
Tools reports a valid certificate with extra characters appended as invalid, whereas Fabric 
OS accepts the certificate and allows the secModeEnable command to complete 
successfully. 
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Merging fabrics 

Which switch becomes the primary FCS switch when fabrics are merged? 

The first switch that is listed in the shared FCS policy for the merged fabric. If the FCS 
policies of the fabrics do not match before the merge, the fabrics segment. 

What happens to the zoning information when fabrics are merged? 

The switch that succeeds as the primary FCS switch distributes its zoning information to all 
the switches in the newly merged fabric. Before merging fabrics, back up the zoning 
configurations and ensure that the switch that will succeed as the primary FCS switch has 
the desired zoning configuration. 

Passwords 

What if I forget the root password? 

Refer to "Managing passwords" on page 97 for general guidelines on password 
management. Refer to the section "Password Recovery," in the HP StorageWorks Fabric 
OS 4.x procedures user guide for more information. 
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A Secure Fabric OS commands and 
Secure Mode restrictions 



Secure Fabric OS commands, zoning commands, and some management server commands 
must be entered through the primary FCS switch. 

This appendix provides the following information: 

• Secure Fabric OS commands, page 1 17 

• Command restrictions in Secure mode, page 122 

For more detailed information about commands, refer to the HP StorageWorks Fabric OS 4.x 
procedures user guide. 

Secure Fabric OS commands 

The Secure Fabric OS commands provide the following capabilities: 

• Enable and disable secure mode 

• Fail over the primary FCS switch 

• Create and modify Secure Fabric OS policies 

• View all Secure Fabric OS-related information 

• Modify passwords 

• Create and remove temporary passwords 

• View and reset Secure Fabric OS statistics 

• View and reset version stamp information 

Most Secure Fabric OS commands must be executed on the primary FCS switch when secure 
mode is enabled. For a list of restricted commands, see "Command restrictions in Secure 
mode" on page 1 22. 
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Table 20 lists all the commands available for managing Secure Fabric OS. 



Table 20 Secure Fabric OS commands 



Command 


Access 
level 


Description 


Secure 
Mode 
and 
Non- 
Secure 
mode 


Switches 
to use 


authutil 


admin 


Displays current authentication 
Darameters and ets vou set the Drotoco 
used to authenticate switches. 


Both 


Any 


pkiCreate 


admin 


Re-creates the PKI objects on the switch. 
See "Recreating PKI objects if required" 
on page 39. 


Nonsec 

ure 

mode 


n.a. 


pkiRemove 


admin 


Removes the PKI objects from the switch. 


Nonsec 

ure 

mode 


n.a. 


pkiShow 


All users 


Displays the status of the PKI objects and 
digital certificate on the switch. See 
"Verifying installation of the digital 
certificates" on page 38. 


Both 


Any 


i — J 1 — l — . — . 1 1_ V 1 — ■ 1 — 1 _i_ i-i • — ■ 


admin 


Displays the size of the active Secure 
Fabric OS database. 


Both 


Any 


sscAuthSGCif et 


admin 


Displays, sets, and removes secret key 
information from the database or deletes 
the entire database. 


Both 


Any 


secDef ineSize 


admin 


Displays the size of the defined Secure 
Fabric OS database. 


Both 


Any 


secFabricShow 


admin 


Displays Secure Fabric OS-related fabric 
information. See "Displaying general 
Secure Fabric OS information" on 
page 90. 


Secure 
mode 


Any 
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Table 20 Secure Fabric OS commands (continued) 



Command 


Access 
level 


Description 


Secure 
Mode 

and 
at iu 

Non- 
Secure 
mode 


Switches 
to use 




UUI Mill 


llUllblClb IMC ItJIC \J\ IMC UIIMUJIy 1 V_-0 

switch to the next switch in the FCS 
policy. See "Failing over the primary FCS 
switch" on page 64. 


Son i rp 

JCLU 1 C 

mode 


RnrU i r~i 

FCS switch 


secGlobalShow 


admin 


Displays current state information for 
Secure Fabric OS, such as version stamp 
and status of transaction in progress. 


Both 


Any 


secHelp 


admin 


Displays a list of Secure Fabric OS 
commands. To use, enter the secHelp 

rommnnn /~it rno i 1 1 nromnf 

\~KJ\ I 1 1 1 IU MU Ul IMC LI U[ l_J| 1 1 Ul . 


Both 


Any 


secModeDi sable 


admin 


Disables secure mode. See "Disabling 
Secure mode" on page 1 28. 


Secure 
mode 


Primary 
FCS switch 


secModeEnable 


admin 


Enables secure mode. See "Enabling 
Secure mode" on page 57. This 
command cannot be entered if secure 
mode is already enabled unless all the 
FCS switches have failed. 


Nonsec 

ure 

mode 

AvailabI 
e in 
secure 

mnno if 
1 1 IUUC 1 1 

no FCS 
switches 
are left 


Enter from 
intended 
primary 
FCS switch 


secModeShow 


admin 


Shows current mode of Secure Fabric 
OS. See "Displaying status of Secure 
mode" on page 92. 


Both 


Any 


secNonFCSPasswd 


admin 


Sets non-FCS admin account password. 
See "Modifying the non-FCS switch 
admin password" on page 100. 


secure 
mode 


Primary 
FCS switch 
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Table 20 Secure Fabric OS commands (continued) 



Command 


Access 
level 


Description 


Secure 
Mode 

and 

at IU 

Non- 
Secure 
mode 


Switches 
to use 


secPolicyAbort 


admin 


Aborts all policy changes since changes 
were last saved. See "Aborting All 
uncommitted changes" on page 87. 


secure 
mode 


Primary 
FCS switch 


secPolicyActivate 


admin 


Activates all policy changes since this 

rnmninnn \A/nc fief icciiaH A nr*ti\/nt^H 

policy changes are stored in the active 
policy set. See "Activating changes to 
Secure Fabric OS policies" on page 84. 


secure 

1 1 IUUC 


Primary 

Ft S c\A/itr*n 
1 v_» O oW 1 1 v_ 1 1 


secPolicyAdd 


admin 


Adds members to a policy. See "Adding 
a member to an existing policy" on 
page 85. 


secure 
mode 


Primary 
FCS switch 


secPolicyCreate 


admin 


Creates a policy. See "Creating Secure 
Fabric OS policies other than the FCS 

r~v/~J \(-\/ f/ on nn n o AA 


secure 
mode 


Primary 
FCS switch 


secPolicyDelete 


admin 


Deletes a policy. See "Deleting a policy" 
on page 86. 


secure 
mode 


Primary 
FCS switch 


secPolicyDump 


admin 


Displays the Secure Fabric OS policy 
database. See "Viewing the Secure 
Fabric OS policy database" on page 90. 


secure 
mode 


Primary or 
backup 
FCS switch 


secPolicyFCSMove 


admin 


Moves an FCS member in the FCS list. 

See "Changing the position of a switch 
within the FCS policy" on page 63. 


secure 
mode 


Primary 
FCS switch 


s ec Po 1 i cyRemove 


admin 


Removes members from a policy. See 

"Removing a member from a policy" on 
page 86. 


secure 
mode 


Primary 
FCS switch 
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Table 20 Secure Fabric OS commands (continued) 



Command 


Access 
level 


Description 


Secure 
Mode 

and 

CU IU 

Non- 
Secure 
mode 


Switches 
to use 


secPolicySave 


admin 


Saves all policy changes since either 

secPolicySave or 
secPolicyActivate were last issued. 

A r\n ir\/ r*nnnn^c tnnt nro cnuon r\i it nr^t 

AAII kJL^IH_y lUl IUCj 1 1 HJ 1 UlC jUVUU tJ U 1 1 \KJ\ 

activated are stored in the defined policy 
set. See "Saving changes to Secure 
Fabric OS policies" on page 84. 


secure 
mode 


Primary 
FCS switch 


secPolicyShow 


admin 


Shows members of one or more policies. 
See "Displaying individual Secure Fabric 
OS policies" on page 91 . 


secure 
mode 


Primary or 
backup 
FCS only 


secStatsReset 


admin 


Resets Secure Fabric OS statistics to 0. 

See "Resetting Secure Fabric OS 
statistics" on page 96. 


Both 


Any 


secStatsShow 


admin 


Displays Secure Fabric OS statistics. See 

"Displaying Secure Fabric OS statistics" 
on page 96. 


Both 


Any 


secTempPasswdReset 


admin 


Removes temporary passwords. See 

"Removing a temporary password from a 
switch" on page 102. 


Secure 
mode 


Primary 
FCS switch 


secTempPasswdSet 


admin 


Sets a temporary password for a switch. 

See "Creating a temporary password for 
a switch" on page 101 . 


Secure 
mode 


Primary 
FCS switch 



Secure Fabric OS 5.0.0 user guide 121 



Table 20 Secure Fabric OS commands (continued) 



Command 


Access 
level 


Description 


Secure 
Mode 

and 

at IU 

Non- 
Secure 
mode 


Switches 
to use 


secTransAbort 


admin 


Aborts the current Secure Fabric OS 
transaction. See "Aborting a Secure 
Fabric OS transaction" on page 87. 


Both 


Any 


secVersionReset 


admin 


Resets version stamp. See "Resetting the 
version number and time stamp" on 
page 102. 


Secure 
mode 


Primary 
FCS 

switch; if 
not 

avni able 
then 
non-FCS 
switch. 



Command restrictions in Secure mode 

This section provides information about the restrictions that secure mode places on 
commands. Any commands not listed here can be executed on any switch, whether or not 
secure mode is enabled. 

Zoning commands 

All zoning commands must be executed on the primary FCS switch, except for the cfgShow 
command, which can also be executed on the backup FCS switch. Table 21 lists the zoning 
commands. 



Table 21 Zoning commands 



Command 


Primary FCS 
switch 


Backup FCS 
switch 


Non-FCS 
switch 


aliAdd 


Yes 


No 


No 


aliCreate 


Yes 


No 


No 


aliDelete 


Yes 


No 


No 
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Table 21 Zoning commands (continued) 



Command 


Primary FCS 
switch 


Backup FCS 
switch 


Non-FCS 
switch 


aliRemove 


Yes 


No 


No 


aliShow 


Yes 


Yes 


No 


cfgAdd 


Yes 


No 


No 


cf gClear 


Yes 


No 


No 


cf gCreate 


Yes 


No 


No 


cf gDelete 


Yes 


No 


No 


cf gDisable 


Yes 


No 


No 


cf gEnable 


Yes 


No 


No 


cf gRemove 


Yes 


No 


No 


cf gSave 


Yes 


No 


No 


cf gShow 


Yes 


Yes 


No 


cf gSize 


Yes 


Yes 


Yes 


cf gTransAbort 


Yes 


No 


No 


cf gTransShow 


Yes 


Yes 


No 


f aZoneAdd 


Yes 


No 


No 


f aZoneCreate 


Yes 


No 


No 


f aZoneDelete 


Yes 


No 


No 


f aZoneRemove 


Yes 


No 


No 


f aZoneShow 


Yes 


Yes 


No 


qloopAdd 


Yes 


No 


No 


qloopCreate 


Yes 


No 


No 
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Table 21 Zoning commands (continued) 



Command 


Primary FCS 
switch 


Backup FCS 
switch 


Non-FCS 
switch 


qloopDelete 


Yes 


No 


No 


qloopRemove 


Yes 


No 


No 


qloopShow 


Yes 


No 


No 


zoneAdd 


Yes 


No 


No 


zoneCreate 


Yes 


No 


No 


zoneDelece 


Yes 


No 


No 


zoneRemove 


Yes 


No 


No 


zoneShow 


Yes 


No 


No 



Miscellaneous commands 

Table 22 lists which miscellaneous commands, including management server and SNMP 
commands, can be executed on which switches. Commands not listed here (or in the 
preceding two tables) can be executed on any switch. 



Table 22 Miscellaneous commands 



Command 


Primary FCS switch 


Backup FCS switch 


Non-FCS switch 


agtcfgDe fault 


Yes 


Yes (except cannot 
modify community 
strings) 


Yes (except cannot 
modify community 
strings) 


agtcf gSet 


Yes 


Yes (except cannot 
modify community 
strings) 


Yes (except cannot 
modify community 
strings) 


conf igUpload 


Yes 


Yes 


Not recommended. 
The zoning and 
Secure Fabric OS 
configurations are not 
uploaded if entered 
on a non-FCS switch. 
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Table 22 Miscellaneous commands (continued) 



Command 


Primary FCS switch 


Backup FCS switch 


Non-FCS switch 


Ud. Lc 


Yp<; 


I Co ^rcuu uiiiyj 


ICo \lcUU UillyJ 


<"H ;a I - d ir\ch yan f~ /~i 
Lid L- c: (JjJtz-L ct±l(a C C 

set time> 


1 Co 


No 

1 NU 


No 

1 NU 


lLLfaCa.^Jd.IJ± -L -L Ly oilOW 


l Co 


l Co 


l Co 


in o f" 1 /~nth "F n rTi i ~y~ d 
ILLo L,UII J l_y Ll-L fc; 


ICO l^CACCUl / L UUCO 

not display) 


ICO ^CALCUI /\v_- L UUCO 

not display) 


Ydc iQYr^nt A( /~J o<uc 
ICO ^CAt_CUI AAV— L UUCo 

not display) 


msPlatShow 


Yes 


Yes 


Yes 


msplClearDB 


Yes 


No 


No 


ILLo^J_LI v iy ILL LAL- LI VaLc 


1 CO 


Nn 

1 NU 


Nn 

1 NU 


ILLojJ _Ll v ly ILL L-UtrcLL- LI Va 

te 


1 CO 


Nn 

1 NU 


Nn 

1 NU 


ILLo L-U-U-L baUlc 


1 CO 


Yp<; 

1 CO 


Yp<; 

1 CO 


in chn T~l ~\ o 3 T a 
ILLo L- UiJ IbaDlc 

"all" 


Yp<; 

1 Co 


Nn 

1 N \J 


Nn 

1 NU 


mstdEnable 


Yes 


Yes 


Yes 


mstdEnable "all" 


Yes 


No 


No 


ms t dRe adC on f i g 


Yes 


Yes 


Yes 


passwd 


Yes 


No 


No 


tsClockServer 


Yes 


Yes (read only) 


Yes (read only) 


tsClockServer 
<ZP ciclclress of 
network time 
protocol (NTP) 
server> 


Yes 


No 


No 
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Table 22 Miscellaneous commands (continued) 



Command 


Primary FCS switch 


Backup FCS switch 


Non-FCS switch 


userConf ig 


Yes 


No (only allows 
display) 


No (only allows 
display) 


wwn (display 
only; cannot 
modify WWNs in 
secure mode) 


Yes 


Yes 


Yes 
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B Removing Secure Fabric OS 



Secure Fabric OS capability can be removed from a fabric by disabling secure mode and 
deactivating the Secure Fabric OS license keys on the individual switches. Removing Secure 
Fabric OS capability is not recommended unless absolutely required. If at all possible, 
consider disabling only secure mode and leaving the Secure Fabric OS feature available so 
that secure mode can be reenabled if desired. 

One possible reason for disabling secure mode or removing Fabric OS capability includes the 
addition of new switches to the fabric that do not support Secure Fabric OS. 

Disabling secure mode includes the following steps: 

• Preparing the fabric for removal of Secure Fabric OS policies, page 1 27 

• Disabling Secure mode, page 128 

In addition, the following steps can be taken if desired: 

• Deactivating the Secure Fabric OS license on each switch, page 1 29 

• Uninstalling related items from the host, page 129 

Preparing the fabric for removal of 
Secure Fabric OS policies 

The following tasks are recommended to prepare the fabric before disabling secure mode: 

• Review the current Secure Fabric OS policies and the devices and users affected by each 
policy. The current policy set can be displayed by entering the secPolicyDump 
command. 

• Review the types of attempted policy violations that have been occurring. The current 
Secure Fabric OS statistics can be displayed by entering the secStatsShow command. 

• Evaluate the zoning configuration and other aspects of the fabric for any changes that 
could be implemented to decrease the chance of security violations when Secure Fabric 
OS is disabled. 

• Educate users to minimize security risks and the impact of any security violations. 
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Disabling Secure mode 

Secure mode is enabled and disabled on a fabric-wide basis and can be enabled and 
disabled as often as desired. However, all Secure Fabric OS policies, including the FCS 
policy, are deleted each time secure mode is disabled, and must be re-created the next time it 
is enabled. The policies can be backed up using the conf igUpload and conf igDownload 
commands. For more information about these commands, refer to the HP StorageWorks 
Fabric OS 4.x command reference manual. 

Secure mode can be disabled only through a sectelnet, Secure Shell, or serial connection to 
the primary FCS switch. When secure mode is disabled, all current login sessions are 
automatically terminated. 

For information about reenabling secure mode, see "Enabling Secure mode" on page 57. 
To disable secure mode, perform the following tasks: 

1. From a sectelnet, Secure Shell, or serial session, log in to the primary FCS switch as 
admin. 

2. Type secModeDisable. 

3. Type the password when prompted. 

4. Type y to confirm that secure mode should be disabled. 

Secure mode is disabled, all current login sessions are terminated, and the passwords are 
modified as follows: 

• On the switches that were FCS switches, the user, admin, factory, and root passwords 
remain the same as in secure mode. 

• On the switches that were non-FCS switches, the root, factory, and admin passwords 
become the same as the non-FCS admin password. 

primaryf cs : admin> secmodedisable 

Warning!!! 

About to disable security. 

ARE YOU SURE (yes, y, no, n): [no] y 

Committing configuration... done. 

Removing Active FMPS... 

done 

Removing Defined FMPS... 
done 

Disconnecting current session. 
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Deactivating the Secure Fabric OS license on 
each switch 

Deactivating the Secure Fabric OS license is not required to disable Secure Fabric OS 
functionality. 

§f NOTE: If the user installs and activates a feature license and then removes the license, the 
feature is not disabled until the next time system is rebooted or a switch enable/disable is 
performed. 

To deactivate the software license: 

1. Open a CLI connection (serial or telnet) to the switch. 

2. Type the licenseShow command to display the Secure Fabric OS license key. 

Copy the license key from the licenseShow output directly into the CLI for the next step. 

3. Type licenseRemove "key". 

key is the license key and is case sensitive. 

4. Repeat for each switch in the fabric. 

switch : admin> licenseremove "lAlAaAaaaAAAAla" 

removing license-key " lAlAaAaaaAAAAla" 
Committing configuration. . .done. 

For license to take effect, Please reboot switch now. . . . 

Uninstalling related items from the host 

The following items can optionally be removed from the host: 

• PKICert utility 

• sectelnet 

• Secure Shell client 

These items do not have to be uninstalled to disable Secure Fabric OS functionality. 

Follow the standard procedure for uninstalling software from the workstation. On a Windows 
host computer, use the Add/Remove Programs control panel or just delete the folder. On 
a Solaris host, use the rm command to remove the folder. 
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Glossary 



A 

AL_PA Arbitrated loop physical address. A unique 8-bit value assigned during loop initialization to 
a port in an arbitrated loop. 

alias serverA fabric software facility that supports multicast group management. 

API Application programming interface. A defined protocol that allows applications to interface 

with a set of services. 

AW_TOV Arbitration wait time-out value. The minimum time an arbitrating L_Port waits for a response 
before beginning loop initialization. 



B 

backup FCS Backup fabric configuration server switch. The switch or switches assigned as backup in 
switch case the primary FCS switch fails. 

bandwidth The total transmission capacity of a cable, link, or system. Usually measured in bps (bits per 
second). May also refer to the range of transmission frequencies available to a link or 
system. 

broadcast The transmission of data from a single source to all devices in the fabric, regardless of 
zoning. 

buffer-to- Management of the frame transmission rate in either a point-to-point topology or in an 

buffer flow arbitrated loop. 

control 



CLI Command line interface. Interface that depends entirely on the use of commands, such as 

through telnet or SNMP, and does not involve a GUI. 

compact Flash (temporary) memory that is used in a manner similar to hard disk storage. It is connected 
flash to a bridging component which connects to the PCI bus of the processor. Not visible within 
the processor's memory space. 
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Configuration The way in which a system is set up. May refer to hardware or software. 

Hardware: The number, type, and arrangement of components that make up a 
system or network. 

Software: The set of parameters that guide switch operation. May include general 
system parameters, IP address information, domain ID, and other information. 
Modifiable by any login with administrative privileges. 

May also refer to a set of zones. 

CRC Cyclic redundancy check. A check for transmission errors that is included in every data 

frame. 



D 

data word 

defined zone 
configuration 

DLS 

domain ID 



A type of transmission word that occurs within frames. The frame header, data field, 
and CRC all consist of data words. 

The set of all zone objects defined in the fabric. May include multiple zone 
configurations. 

Dynamic load sharing. Dynamic distribution of traffic over available paths. Allows for 
recomputing of routes when an Fx_Port or E_Port changes status. 

Unique identifier for all switches in a fabric, used in routing frames. Usually 
automatically assigned by the principal switch, but can be assigned manually. The 
domain ID for an HP switch can be any integer between 1 and 239. Generally, the 
default domain ID is 1 . 
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E 



E_D_TOV 

E_Port 
EE_Credit 

EIA rack 

enabled zone 
configuration 

end-to-end flow 
control 

error 
exchange 

F 

F_Port 
fabric 

fabric name 
FCIA 

FCP 

FCS switch 



Error detect time-out value. The minimum amount of time a target waits for a sequence 
to complete before initiating recovery. Can also be defined as the maximum time 
allowed for a round-trip transmission before an error condition is declared. 

Expansion port. A type of switch port that can be connected to an E_Port on another 
switch to create an ISL. 

End-to-end credit. The number of receive buffers allocated by a recipient port to an 
originating port. Used by Class 1 and 2 services to manage the exchange of frames 
across the fabric between source and destination. 

A storage rack that meets the standards set by the Electronics Industry Association. 

The currently enabled configuration of zones. Only one configuration can be enabled 
at a time. 

Governs flow of class 1 and 2 frames between N_Ports. 

As applies to fibre channel, a missing or corrupted frame, time-out, loss of 
synchronization, or loss of signal (link errors). 

The highest level fibre channel mechanism used for communication between N_Ports. 
Composed of one or more related sequences, and can work in either one or both 
directions. 



Fabric port. A port that is able to transmit under fabric protocol and interface over 
links. Can be used to connect an N_Port to a switch. 

A fibre channel network containing two or more switches in addition to hosts and 
devices. May also be referred to as a switched fabric. 

The unique identifier assigned to a fabric and communicated during login and port 
discovery. 

Fibre Channel Industry Association. An international organization of fibre channel 
industry professionals. Among other things, provides oversight of ANSI and industry 
developed standards. 

Fibre channel protocol. Mapping of protocols onto the fibre channel standard 
protocols. For example, SCSI FCP maps SCSI-3 onto fibre channel. 

Fabric Configuration Server Switch. One or more designated HP switches that store 
and manage the configuration and security parameters for all switches in the fabric. 
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fill word An IDLE or ARB ordered set that is transmitted during breaks between data frames to 

keep the fibre channel link active. 

FL_Port Fabric loop port. A port that is able to transmit under fabric protocol and also has 

arbitrated loop capabilities. Can be used to connect an NL_Port to a switch. 

FRU Field-Replaceable Unit. A component that can be replaced on site. 

FS Fibre Channel Service. A service that is defined by fibre channel standards and exists 

at a well-known address. For example, the Simple Name Server is a fibre channel 
service. 

FSP Fibre channel service protocol. The common protocol for all fabric services, 

transparent to the fabric type or topology. 

FSPF Fabric shortest path first. HP's routing protocol for fibre channel switches. 

Fx_Port A fabric port that can operate as either an F Port or FL Port. 



G_Port Generic port. A port that can operate as either an E_Port or F_Port. A port is defined 

as a G_Port when it is not yet connected or has not yet assumed a specific function in 
the fabric. 

H 

hard address The AL_PA that an NL_Port attempts to acquire during loop initialization. 
I 

idle Continuous transmission of an ordered set over a fibre channel link when no data is 

being transmitted, to keep the link active and maintain bit, byte, and word 
synchronization. 

integrated fabric The fabric created by connecting multiple HP switches with multiple ISL cables, and 
configuring the switches to handle traffic as a seamless group. 

ISL trunking The distribution of traffic over the combined bandwidth of multiple ISLs. A set of 

trunked ISLs is called a "trunking group", and the ports in a trunking group are called 
"trunking ports". 

isolated E_Port An E_Port that is online but not operational due to overlapping domain IDs or 
nonidentical parameters (such as E_D_TOVs). 
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K 



K28.5 A special 10-bit character used to indicate the beginning of a transmission word that 

performs fibre channel control and signaling functions. The first seven bits of the 
character are the comma pattern. 

kernel flash Flash (temporary) memory connected to the peripheral bus of the processor, and 
visible within the processor's memory space. Also known as "user flash". 

L 

L_Port Loop port. A node port (NL_Port) or fabric port (FL_Port) that has arbitrated loop 

capabilities. An L_Port can be in one of two modes: 

Fabric mode: Connected to a port that is not loop capable, and using fabric 
protocol. 

Loop mode: In an arbitrated loop and using loop protocol. An L_Port in loop mode 
can also be in participating mode or non-participating mode. 

latency The period of time required to transmit a frame, from the time it is sent until it arrives. 

Together, latency and bandwidth define the speed and capacity of a link or system. 

link As applies to fibre channel, a physical connection between two ports, consisting of 

both transmit and receive fibres. 

link services A protocol for link-related actions. 

LIP Loop initialization primitive. The signal used to begin initialization in a loop. Indicates 

either loop failure or resetting of a node. 

LM_TOV Loop master time-out value. The minimum time that the loop master waits for a loop 

initialization sequence to return. 

loop failure Loss of signal within a loop for any period of time, or loss of synchronization for longer 
than the time-out value. 

loop initialization The logical procedure used by an L_Port to discover its environment. Can be used to 
assign AL_PA addresses, detect loop failure, or reset a node. 

LoopJD A hex value representing one of the 1 27 possible AL_PA values in an arbitrated loop. 

LPSM Loop Port State Machine. The logical entity that performs arbitrated loop protocols and 

defines the behavior of L_Ports when they require access to an arbitrated loop. 

LWL Long wavelength. A type of fiber optic cabling that is based on 1 300mm lasers and 

supports link speeds up to 2 Gbit/sec. May also refer to the type of transceiver. 
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M 

master port 
MIB 

multicast 



The port that determines the routing paths for all traffic flowing through a trunking 
group. One of the ports that is in the first ISL in the trunking group is designated as the 
master port for that group. 

Management Information Base. An SNMP structure to help with device management, 
providing configuration and device information. 

The transmission of data from a single source to multiple specified N_Ports 
(as opposed to all the ports on the network). 



N 



N_Port 

name server 
NL_Port 

node 



Node port. A port on a node that can connect to a fibre channel port or to another 
N_Port in a point-to-point connection. 

Frequently used to indicate Simple Name Server. 

Node loop port. A node port that has arbitrated loop capabilities. Used to connect an 
equipment port to the fabric in a loop configuration through an FL_Port. 

A fibre channel device that contains an N Port or NL Port. 



non-participating A mode in which an L_Port in a loop is inactive and cannot arbitrate or send frames, 
mode but can retransmit any received transmissions. This mode is entered if there are more 

than 1 27 devices in a loop and an ALPA cannot be acquired. 



Nx Port 



A node port that can operate as either an N_Port or NL_Port. 



packet A set of information transmitted across a network. 

participating A mode in which an L_Port in a loop has a valid AL_PA and can arbitrate, send 
mode frames, and retransmit received transmissions. 

path selection The selection of a transmission path through the fabric. HP switches use the FSPF 
protocol. 

phantom address An AL_PA value that is assigned to an device that is not physically in the loop. Also 
known as phantom AL PA. 

phantom device A device that is not physically in an arbitrated loop but is logically included through 
the use of a phantom address. 



PLOGI 



Port login. The port-to-port login process by which initiators establish sessions with 
targets. 
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point-to-point 
port cage 
Port_Name 
POST 

primary FCS switch 

private loop 
private NL_Port 

public device 

public loop 

public NL_Port 



A fibre channel topology that employs direct links between each pair of 
communicating entities. 

The metal casing extending out of the fibre channel port on the switch, and into 
which a GBIC or SFP transceiver can be inserted. 

The unique identifier assigned to a fibre channel port. Communicated during login 
and port discovery. 

Power On Self-Test. A series of tests run by a switch after it is powered on. 

Primary fabric configuration server switch. The switch that actively manages the 
configuration and security parameters for all switches in the fabric. 

An arbitrated loop that does not include a participating FL_Port. 

An NL_Port that communicates only with other private NL_Ports in the same loop and 
does not log into the fabric. 

A device that supports arbitrated loop protocol, can interpret 8-bit addresses, and 
can log into the fabric. 

An arbitrated loop that includes a participating FL_Port, and may contain both public 
and private NL Ports. 

An NL_Port that logs into the fabric, can function within either a public or a private 
loop, and can communicate with either private or public NL_Ports. 



Q 

quad 

R 

R_A_TOV 
RAID 

request rate 
route 



A group of four adjacent ports that share a common pool of frame buffers. 



Resource allocation time-out value. The maximum time a frame can be delayed in the 
fabric and still be delivered. 

Redundant Array Of Independent Disks. A collection of disk drives that appear as a 
single volume to the server and are fault tolerant through mirroring or parity 
checking. 

The rate at which requests arrive at a servicing entity. 

As applies to a fabric, the communication path between two switches. May also 
apply to the specific path taken by an individual frame, from source to destination. 



routing 



The assignment of frames to specific switch ports, according to frame destination. 
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RRTOV 
RSCN 

s 

SAN 

SDRAM 
sequence 
service rate 
single mode 

SNMP 

SNS 

switch 

switch port 
SWL 



Resource recovery time-out value. The minimum time a target device in a loop waits 
after a LIP before logging out a SCSI initiator. 

Registered state change notification. A switch function that allows notification of fabric 
changes to be sent from the switch to specified nodes. 



Storage Area Network. A network of systems and storage devices that communicate 
using fibre channel protocols. 

The main memory for the switch. 

A group of related frames transmitted in the same direction between two N_Ports. 
The rate at which an entity can service requests. 

The fiber optic cabling standard that corresponds to distances of up to 10 km between 
devices. 

Simple Network Management Protocol. An internet management protocol that uses 
either IP for network-level functions and UDP for transport-level functions, or TCP/IP for 
both. Can be made available over other protocols, such as UDP/IP, because it does 
not rely on the underlying communication protocols. 

Simple Name Server. A switch service that stores names, addresses, and attributes for 
up to 15 minutes, and provides them as required to other devices in the fabric. May 
also be referred to as directory service. 

Hardware that routes frames according to fibre channel protocol and is controlled by 
software. 

A port on a switch. Switch ports can be E_Ports, F_Ports, or FL_Ports. 

Short wavelength. A type of fiber optic cabling that is based on 850mm lasers and 
supports link speeds up to 2 Gbit/sec. May also refer to the type of transceiver. 
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T 

tenancy 

throughput 

topology 



transmission 
character 



The time from when a port wins arbitration in a loop until the same port returns to the 
monitoring state. Also referred to as loop tenancy. 

The rate of data flow achieved within a cable, link, or system. Usually measured in bps 
(bits per second). 

As applies to fibre channel, the configuration of the fibre channel network and the 
resulting communication paths allowed. There are three possible topologies: 

Point to point: A direct link between two communication ports. 

Switched fabric: Multiple N_Ports linked to a switch by F_Ports. 

Arbitrated loop: Multiple NL_Ports connected in a loop. 

A 1 0-bit character encoded according to the rules of the 8b/ 1 Ob algorithm. 



transmission wordA group of four transmission characters. 

trap (SNMP) The message sent by an SNMP agent to inform the SNMP management station of a 
critical error. 



u 

U Port 



Universal port. A switch port that can operate as a G_Port, E Port, F Port, or FL_Port. 
A port is defined as a U_Port when it is not connected or has not yet assumed a 
specific function in the fabric. 



w 



well-known 
address 

workstation 



WWN 



As pertaining to fibre channel, a logical address defined by the fibre channel 
standards as assigned to a specific function, and stored on the switch. 

A computer used to access and manage the fabric. May also be referred to as a 
management station or host. 

World Wide Name. An identifier that is unique worldwide. Each entity in a fabric has 
a separate WWN. 
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z 

zone A set of devices and hosts attached to the same fabric and configured as being in the 

same zone. Devices and hosts within the same zone have access permission to others 
in the zone, but are not visible to any outside the zone. 

zone A specified set of zones. Enabling a configuration enables all zones in that 

configuration configuration. 
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Index 



A 

aborting a Secure Fabric OS transaction 87 
aborting all uncommitted changes 87 
accessing PKI certificate help 44 
account passwords 
customizing 23 
activating a license key 24 
activating a policy 84 

activating changes to Secure Fabric OS policies 

84 

active policy set 1 5 
Adding 46 

adding a member to an existing policy 85 
adding Secure Fabric OS to a fabric 20 
adding Secure Fabric OS to SAN switches 21 
adding Secure Fabric OS to Switches that require 

upgrading 25 
adding switches with secure mode enabled 1 03 
API policy 72 

about 72 
audience 7 
authentication 1 3 

configuring 50 
authorized reseller, HP 10 

c 

changing the position of a switch within the FCS 
policy 63 

command restrictions in secure mode 1 22 
commands 

secFCSFailover 1 1 9 

secHelp 1 1 9 

secModeDisable 1 1 9 

secModeEnable 1 1 9 

secModeShow 1 1 9 

secNonFCSPasswd 119 

secPolicyAbort 120 

secPolicyActivate 1 20 

secPolicyAdd 120 

secPolicyCreate 1 20 



secPolicyDelete 120 

secPolicyDump 120 

secPolicyFCSMove 120 

secPolicyRemove 1 20 

secPolicySave 121 

secPolicyShow 121 

secStatsReset 121 

secStatsShow 121 

secTempPasswdReset 121 

secTempPasswdSet 121 

secTransAbort 1 22 

secVersionReset 1 22 
configuring authentication 50 
conventions 

document 8 

equipment symbols 7 

text symbols 8 
creating 

Options policy 78 

policies 68 
creating a DCC policy 79 
creating a MAC policy 68 
creating a temporary password for a switch 1 01 
creating an Options policy 78 
creating an SCC policy 82 
creating an SNMP policy 68 
creating PKI certificate reports 40 
creating Secure Fabric OS policies other than the 

FCS policy 66 
customizing the account passwords 27 

D 

deactivating the Secure Fabric OS license on 

each switch 1 29 
default fabric and switch accessibility 56 
defined policy set 1 5 
deleting a policy 86 
digital certificate 

obtaining 34 
digital certificates 

distributing to the switches 34 
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loading 34 

obtaining 34 

verifying 38, 39 
digital certificates and PKI objects 1 1 4 
disabling secure mode 1 28 
display general information 90 
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